The amount of personal data dissemination that goes on today is astounding. When I sign up for Spotify and I want to use my Facebook login for ease, Spotify receives my contact info, who my friends are, my location, and probably loads of other stuff. And Facebook receives my music tastes, which to some (ahem, me) is basically their soul.
According to GDPR, this rampant data spread has gone on unchecked long enough! Like a neighborhood vigilante, GDPR mandates that companies know exactly where they get data from, to whom they send it, and what they do with it internally. Say hello to data flow mapping! It’s like playing Six Degrees of Separation, but with people’s birthdays and embarrassing middle school photos.
What’s this thing, then?
Perhaps obviously (although nothing is very “obvious” about GDPR), data flows are the ways data is given to, sent from, and used within your organization—you know, how data “flows” around you. Ask yourself:
- How is the personal data we receive collected?
- Who is accountable for this data?
- What is the physical location of the data?
- Who can access this info, and is this data disclosed to anyone else?
There are plenty more things you should be aware of, but, you know, I’m not a lawyer. A lawyer (specifically one specializing in GDPR) is good to have around when you’re hashing this out. In essence, you need to know as much as you can—within reason—about the data your organization is accumulating.
And how on earth am I supposed to do that?
Well, there’s data mapping for that. This is a good first step to take when doing a GDPR audit as it provides a comprehensive overview of all your data flows. It also allow you to visualize more clearly the directional flow of information surrounding your business. The final product might look something like this:
Once you have this in place, you can clearly visualize the ways data is being used. As GDPR’s goal in life is to protect people from organizations that might be inappropriately using personal data, this map is immensely integral to preparing yourself for GDPR compliance. If your organization doesn’t know where it’s getting emails and locations of your users from, how can you know if you are getting this data in a legal and compliant way?
What is Kentico doing with data flow mapping?
Quite a bit! We realized we needed to figure out where to start for ourselves before we launched into fixing things for Kentico 11. To prepare, we went through a data flow audit with our own GDPR lawyers, running through our fictional coffee company Dancing Goat’s website.
After that, we discussed Kentico’s departments and figured out the type of data we were (and are) collecting, most of which comes through forms, some through analytics. We then attempted to answer the questions mentioned above—who is responsible for the data, where we keep it, etc.—as well as figure out whether or not we have any license to process it, be it via a contract, legitimate user interest, expressed consent, or some other vehicle for compliance. And when creating our own data flow map, our documentation for Kentico 11 came in really handy. It was able to save both our and our lawyers’ time (and, of course, we saved money).
And even though our audit is not completed yet, it has still eaten up a lot of our time and resources. Mapping everything from scratch will take ages, so it’s great to be able to have resources that help you figure out where to start. (Here’s hoping more resources like this from vendors begin popping up soon!)
This Is Super Complicated
Can’t argue with you there. That’s why our developers are working crazy hard to make sure Kentico 11 will help make this a lot less complicated for our users so the job is easier on your end. For example, we can stop the spread of submitted data (let’s say an email address) across your entire website if a visitor only wants to download a brochure from you. That data won’t be used anywhere else on your website.
As a CMS vendor, we want to make sure our clients are getting the most help we can deliver to prepare for GDPR. We’re preparing our Documentation to be ready to help you out with whatever you need. It’ll be able to provide you with the basics of how to use our features to get the data you need, and it will certainly save you time and money.
But as I said, neither I nor our developers are GDPR lawyers, and it would make your life infinitely less crazed to consult one when it comes to data flow mapping (and anything GDPR related, for that matter). Digital agencies will need to help their end-clients, and both end-clients and digital agencies need to be GDPR compliant in this area.
You’re Sure I Need to Do This?
Sorry, but yes. Article 30 of GDPR states that records of data processing activities must be made and kept. But really, look on the bright side—having these records helps you a great deal, as well. Now you know every detail about your users’ data. Does something seem nonsensical or maybe even unnecessary? With your data flow map, you can more easily streamline these processes or change them or even delete them altogether.
Let’s say you find out that one of your online forms asks for 10 different attributes of your visitors for the purpose of…well, nothing. Maybe you just use the email address to send them a newsletter, but you have no personalization or segmentation in place. Well, in that case, you might consider using the “data minimization” principle and collect only necessary data. In the end, you may find out that you get better conversion rates on your form, and you will also simplify data flow (and also may not require extra consents from your visitors).
You’ll also get a clearer understanding of how personal data is used across your company. It seems daunting, surely. But you do benefit at the end of the day.
Have you and your company already started data mapping? (Wow!) Do you have any advice on how others might start preparing? What is the biggest hurdle you’re facing when it comes to data mapping? Share your thoughts in the comments below! The topic of GDPR is one that is dear to our hearts. Check out some of the critical points you should be addressing here.
DISCLAIMER: All data and information provided in this blog post are for informational purposes only. Kentico makes no representations as to the accuracy, completeness, currentness, suitability, or validity of any information contained herein. We recommend consulting with a lawyer for any legal advice pertaining to GDPR compliance.