Governance, Risk Management, and Compliance blog

GDPR Compliance: You do not need to carry out an exhaustive dataflow analysis

[fa icon="calendar"] Wednesday, 28 June 2017 / by Jakob Holm Hansen

- Registering your data processing activities is enough.

Are you busy preparing for the GDPR, but getting stuck carrying out a dataflow analysis? Then you need to read this: When it comes to complying with the GDPR, a comprehensive and detailed dataflow analysis is not necessary or mandatory!

It is uncertain where the speculation started, but at some point, people started talking about the necessity of performing lengthy dataflow analyses to be compliant with the GPDR. 

Likely, this resulted from an embellishment of the regulation requirements, and somehow it seems to have stuck around. The fact is - the Data Protection Regulation does not explicitly mention nor require you to carry out a dataflow analysis! It does however state that you need to “maintain a record” of your relevant “processing activities”. One could argue semantics here, but it is easy to see where exaggerations and embellishments can be easily introduced. 

Sign up for a free 30 day trial of Secure GDPR

A Dataflow Analysis Can Quickly Turn into a Never Ending Undertaking

A holistic dataflow analysis is a complete map of the data moving throughout your entire IT infrastructure, including how data flows through and between all applications, processes, and systems, sometimes down to the very last detail.

If your organisation has even just a small IT infrastructure, delving into its dataflows can easily become a complex project. It is not uncommon for example, for local governments to use hundreds of different systems. And because a dataflow is “live”, analyses need to be continuously updated meaning that you need to restart before even finishing.

Registering Data Processing Activities - an Achievable Task

For some systems or processes, a data-flow analysis may be required for specific reasons. However, since the EU GDPR does not explicitly require a dataflow analysis, why spend unnecessary time and effort doing so?

On the other hand, maintaining a record of relevant data processing activities is an achievable task. Ultimately, the aim is to keep an up today log of recording relevant data processing activities.  This is to ensure that you know what personal data is collected, why you need to collect and use it, and where it is being processed and stored.

It’s imperative to do what is necessary

We prefer a pragmatic approach, and generally recommend that you follow what is necessary for GDPR compliance regulations. It is too easy to over-complicate and over analyzing things, and lose sight of what is required. As such, since GDPR is an ongoing process, and not a once off endeavor, it makes more sense to start with understanding and registering your processing activities at a high level, and revisiting and refining these later. This will allow more time and energy to be spent on all the other aspects required for GDPR compliance, which is not very far away.

Checklist of Processing Activities

The GDPR Article 30 “Records of processing activities” details the requirements for compliance, for both the “Controller” and “Processor”. Briefly, as a Data Controller, the record of processing activities must contain the following information:

  • Name and contact details of the Data Controller, and if applicable, Data Protection Officer.
  • Description of the purpose of Processing the data
  • Description of the categories of personal data, and categories of data subjects
  • Description of the categories of recipients that will see the data, including recipients in third countries or international organisations, and if applicable, documentation of safeguards
  • Details, where possible, of the time limits for erasure of different categories of data
  • Description, where possible, of the technical and organisational security measures in place to protect data.

And as a Data Processor, the record of processing activities must contain the following information:

  • Name and contact details of the Data Processor of each Controller, and if applicable, Data Protection Officer.
  • Description of the categories of processing carried out for each Controller
  • Description of the categories of recipients that will see the data, including recipients in third countries or international organisations, and if applicable, documentation of safeguards
  • Description, where possible, of the technical and organisational security measures in place to protect data.

Furthermore, it's important to keep in mind that the regulation isn’t designed to introduce a massive workload and doesn’t in itself require a comprehensive analysis of data streams. As long as you stick to what's necessary, you'll be well on your way to being compliant when the GDPR comes into force next year.

Not sure how to get started?

Download our Guide to complying with GDPR where we provide you with seven steps that lead to GDPR compliance - the first of which is registering your processing activities!

Emner: eu general data protection regulation, GDPR

GRC blog

The NorthGRC blog offers advice and knowledge of effective information security management, security strategies, risk management, compliance with information security standards and other requirements, business continuity planning, ISO2700x, EU Data Protection Regulation, PCI DSS, etc.

Popular Posts