DPO: The A-Z of Data Mapping
DPO: The A-Z of Data Mapping
This is a summary taken from Judicium’s GDPR ‘Sofa Session’ from the 13th of October, with our GDPR expert Jessica Gant LLB (Hons). This session was centred around: what is data mapping, why it is important, the 250 rule and how you should record your processing activities.
What Is Data Mapping?
Just the word or concept leaves many baffled. In essence data mapping is a way of documenting your record of processing. It is a visual representation of the data acquired in the process of maintaining records on things such as processing purposes, data sharing, and data retention. It is the easiest way to build a comprehensive image of all the data you hold and share in your school.
It is also a way you can demonstrate your accountability. The accountability principle requires you to demonstrate that your organisation processes personal data in line with the UK GDPR.
The Legal Requirement - 'The 250 Rule'
It is a legal requirement to document your processing activities. If you have over 250 employees, you need to document ALL of your processing activities.
If you have fewer than 250 employees, you only need to process activities that:
- Are not occasional
- Could result in a risk to the rights and freedoms of individuals
- Would involve processing special categories of data or criminal convictions and offence data
For schools the situation is slightly more complicated. Although a school may only employee 100 staff, they may process 400 students’ data. As that data processing is frequent, we recommend documenting all the data processing to fulfil the legal requirement.
It is always difficult to see the audit as more than a tick box exercise. However, if you can set some time aside for an audit, the potential savings are huge! Most DPOs will work with whatever you can offer, whether that’s thirty minutes or a few hours.
What Does a Data Map Look Like?
For larger scale processing, we always recommend you carry out a data map. This doesn’t need to be complicated. The data map shows a record of your processing activities.
To better understand this, we’ll use an example of the data a school might hold for a job applicant.
For this example, the map consists of:
- The name and contact details of your organisation and, where applicable, of other controllers, your representative and your data protection officer.
- The purposes of your processing e.g., to help you recruit a new member of staff.
- A description of the categories of individuals and categories of personal data.
- The categories of recipients of personal data.
- Details of your transfers to third countries including documenting the transfer mechanism safeguards in place e.g., background checks via a company outside the EU.
- Retention schedules, meaning how long you are keeping information on the applicant for.
- A description of your technical and organisational security measures.
Your DPO and SLT are responsible for managing the data map and ensuring it remains current. When organising your data map, it is not a single use document. It should be reviewed and updated regularly.
The more detail you include, the better you can look at understanding your systems.
For MATs, we recommend every school within the MAT does a data map. These data maps are passed on to the MAT to form a complete account of the data processes taking place.
How Will a Data Map Help Your School?
A data map helps schools manage their data. It also processes and provides proof for audits that you are meeting your UK GDPR requirements.
More specifically it can help in these areas:
Responding to SARs – Your data map will make subject access requests much easier.
Taking stock of processing activities – It makes it easier to address other matters under the UK GDPR, such as ensuring the data you hold is relevant, up to date and secure.
Provides staff a collective involvement and accountability.
Helps identify gaps, especially prior to an audit.
Can determine who has access to data and if there are any security issues e.g., accessing data on own devices.
It demonstrates you have put some thought into how you use an individual’s data
Top Tips: How to Start Your Data Map?
Start with an information audit.
Utilise a group exercise to see the who, what, why and where of data in your school. You can do this by sending a form out to staff members to establish exactly what they are doing in the classroom. For instance, a member of staff might be using a specific maths revision tool.
You can use this as a team bonding exercise.
Exercising this will help you find out exactly what information you hold.
Use your privacy notice like a skeleton outline.
Utilise your retention policy to assist with your data map.
Rely on your DPO, who can guide you through the process.
Just dive in and start it – “Don’t get it right, get it written.”
Jedu is Judicium's online GDPR compliance tracking software for schools. Our platform is suitable for single schools to large MATs and is designed to assist schools with two critical needs: To enable trustees, governors and other schools’ leaders to monitor GDPR compliance; and to assist you manage your data protection.
If you would like more information of how we can support you or more information regarding Jedu, please see more details regarding the service here.
You can also find information regarding our School Data Protection Officer (DPO) service here.
If you require any support in any of these steps or would like to talk to someone surrounding some support for your school, please do not hesitate to call us on 0845 459 2130 or email firstname.lastname@example.org.