Data Protection: Demystifying Data Mapping

This is a summary taken from Judicium’s Data Protection ‘Sofa Session’ from the 8th May, with our Data Protection Consultant Jessica Gant. This session focused on what is data mapping, data mapping or RoPA, updates on data mapping with DPD and how to carry out a data map.

What is Data Mapping? 

Data mapping is a way of documenting the types of information an organisation may hold. Think of it as the “who, what, why, and where” of data protection.

This task is often seen as a dauntingly long task, especially when there so many other things which may be seen as more important.

Poll 1

Legal responsibility

For us to gain an understanding of data mapping, it is important for us to understand “The Accountability Principle” of the UK GDPR.

“The accountability principle requires you to demonstrate that your organisation processes personal data in line with the UK GDPR.”  

This consists of an organisation doing things such as keeping logs of breaches and requests, carrying out DPIA’s, and also maintaining a record of processing activities. These are all ways you are complying with the accountability principle.  

Under the UK GDPR it is a legal requirement to log your data if you have more than 250 employees. If you have fewer than 250 employees, you only need to document your processing activities that:

• are not occasional.
• could result in a risk to the rights and freedoms of individuals.
• would involve processing special categories of data or criminal convictions and offence data. 

In schools and trusts there will be a lot of personal data being processed on a frequent basis, therefore it is important for you to document your processing activities.

Even if the school has less than 250 employees, if there are lots of children who attend the school, a data map would be necessary.  

What are the benefits of Data Mapping?

Taking stock of what information you have, where it is and what you do with it makes it much easier for you to improve your information governance and comply with other aspects of data protection law (For instance, when you are reviewing your privacy notice and ensuring you are keeping personal data secure).

• It can enable you to recognise all the places where personal data is collected, stored and accessed – this can ensure that all of the data you collect is “appropriate” and that you are storing data appropriately.
• It helps with organisation – keeping track of what data you collect.
• As the location of all data is documented, it helps with subject access requests (SARs), e.g., ensuring you have searched all the appropriate locations to find the data.

NB: A data map should be a live document. This should be updated whenever you change how you process personal data. If you implement a new third-party supplier, detail this within your data map.

Data Mapping or RoPA?

For those who have annual data audits, you may have heard reference to a data map, or a “record of processing activities” (RoPA). It is important for us to distinguish between the two.  Strictly speaking both are very similar and essentially, they are the same thing.

Data Map
A data map tends to be a map of how you process personal data. It is very visual and the easiest way to see exactly what data you hold.

RoPA
A record of processing activities is a record of how you process personal data. Often this looks like an extended privacy notice.  
Within your Record of Processing Activities, you should include:

• Your organisations name and contact details.
• The purposes of the processing.
• A description of the categories of individuals and of personal data.
• The categories of recipient.
• Details of transfers to third countries, including a record of the transfer mechanism safeguards in place.
• Retention schedules.
• A description of the technical and organisational security measures in place.

A ROPA is basically an internal record of all processing activities carried out by any processors on behalf of your organisation.

You should ensure that your ROPA includes, or links to documentation covering:

• Information required for privacy notices, such as the lawful basis for the processing and the source of the personal data.
• Records of consent.
• Controller-processor contracts.
• The location of personal data.
• DPIA reports of third parties used.
• Records of personal data breaches.
• Information required for processing special category data or criminal conviction and offence data under the Data Protection Act 2018 (DPA 2018).
• Retention and erasure policy documents.

Tips once implemented

1. Regularly review the processing activities and types of data you process.
2. Review the data to see if you can minimise the data you hold.
3. Review the data to see if you are holding duplicates – do you need both paper and electronic versions of files?

How to carry out a data map

Data maps can look far more complicated than they actually are. They can often be huge spreadsheets full of information. However, if this is broken down, they are much more simple. 

When you are carrying out the mapping, first you need to look at what maps are required.

At Judicium we do this by splitting the categories of information: 

• alumni
• school management and pupil data
• finance
• staffing / human resources
• governors and trustees
• school clubs
• volunteers and visitors

NB: You could also have an option on your mapping system to include “others” – which might apply, for example, if you have a public gym onsite.  

We would recommend that you record: 

1. The name and contact details of your organisation.
   • Where applicable, of other controllers, your representative, and your data protection officer.
2. The purposes of your processing.
   • E.g. To help you recruit a new member of staff.
3. A description of the categories of individuals and categories of personal data.
   • E.g. Name, address, qualifications.
4. The categories of recipients of personal data.
   • E.g. The local authority and various members of staff in the school.
5. Details of your transfers to third countries including documenting the transfer mechanism safeguards in place.
   • E.g. Background checks via a company outside the EU.
6. Retention schedules.
   • How long you are keeping information on the applicant for?
7. A description of your technical and organisational security measures
   • How you are keeping this information?

Tips on carrying out a data map

1. Keep the data map up to date and assign annual reviews as part of your data protection responsibilities.
2. Speak to staff – they will be able to help make an accurate picture of your processing activities.

NB: Some schools create a shared document and send out the forms to all staff members to assist with this process while other schools gather the individuals who are responsible for different types of data. For example finance managers, HR managers, to complete those sections of the data map.

Data Protection and Digital Information Bill

The new Data Protection and Digital Information Bill is at the committee stage in the House of Lords.

There is a potential for this to receive royal assent this year, and when that happens, we will know the implementation timetable.

The biggest change which is applicable to Data Mapping, is that this bill is going to restrict the obligation to have records of processing in place, and it will now only be relevant to high-risk processing. However, as a school you are still processing lots of high-risk data, i.e. children’s personal data.

Top Tips:

1. Use your privacy notice like a skeleton outline to get started.
2. Utilise your retention policy to assist with your data map - this will detail how long you should be storing personal data.
3. Rely on your DPO, who can guide you through the process.
4. Just dive in and start it –“Don’t get it right, get it written.” – sometimes just getting the information on paper can really help.

Additional Info

Judicium also offer a range of GDPR e-learning  training designed for schools. You can see current course availability here.

You can find information regarding our School Data Protection Officer (DPO) service here.

If you’d like to review Judicium’s forthcoming Sofa Sessions please click here

Jedu is Judicium's online GDPR compliance tracking software for schools. Our platform is suitable for single schools to large MATs and is designed to assist schools with two critical needs: To enable trustees, Governors and other SLT to monitor GDPR compliance; and to assist you managing your data protection.

If you would like more information on how we can support you or more information regarding Jedu, please get in touch with us.

If you require any support in any of these steps or would like to talk to someone surrounding some support for your school, please do not hesitate to call us on 0345 548 7000 or email georgina.decosta@judicium.com.

 Follow us on Twitter: @DPOforSchools and @JudiciumEDU

© This content is the exclusive property of Judicium Education. The works are intended to provide an overview of the sofa session you attend and/or to be a learning aid to assist you and your school. However, any redistribution or reproduction of part or all of the contents in any form is prohibited. You may not, except with our express written permission, distribute or exploit the content. Failure to follow this guidance may result in Judicium either preventing you with access to our sessions and/or follow up content.