Best Practices Flashcards
Data Inventory Best Practices
Data mapping involves taking inventory and knowing the full scope of your data. The process of taking data inventory may seem daunting but will ultimately streamline incident response. To efficiently create a thorough data map, it requires asking the right questions, such as: Do we know what we have? How long are we keeping it? Where are we keeping it? Why are we keeping it? Who has access to it? Has the data been classified? Who is responsible for the data?
Using the infographic below, Jonathan identifies key considerations when data mapping. He highlights the need to take the proper steps to verify the policies in place to protect your data. This includes steps to verify what you have and how you’re protecting it through various points such as a data classification policy, data loss protection (DLP) tools, data retention policy and data use policy.
Data mapping supports in compliance and adherence to critical GDPR factors such as:
Maintenance of the data lifecycle;
Documentation that records are kept in adherence to the rules of GDPR to submit to the regulatory and supervising authorities;
Maintaining Accountability of the data for the full data lifecycle;
Evidence for the organization that the data is protected in its full cycle.
The organization must record and keep the data flow and where, how and intent the data is accessed, stored, transmitted and processed. That information maintained must contain the following:
a) The information including the address and name of the controller, joint controller and their representatives and Data Protection Officer;
b) Data processing activity’s intent;
c) A narrative of the classes of personal data and data subjects;
d) The information on the disclosure of personal data of the EU subjects within EU and outside of the EU to any country or Organizations;
e) The transfer of data within EU and outside the EU to any country or organizations where applicable,
f) Management of data after the necessary work whether it has to be stored or retained or erased as per the agreement
g) Technical information and other organizations control to govern the data where possible;
Data mapping identifies
the data flow on from where the data flows to where and how the information is disclosed and to whom and how the information is accessed, how the information is stored and transmitted and processed. This is to identify any misuse of data and to safeguard the data. Data flow includes the controller, the processor and sub-processor and to customers.
A data map must abide by the below mentioned essential elements:
The data( g., personal data such as name, address, phone number and social security number)
The processor and the controller( from which organization the data originates and who process it)
Formats of data (Data Base, Hardcopy, )
Data transfer technique(g., airmail, emails, websites)
Venue( g., Data Center, office, cloud or sub-processor)
The data flow map must outline all the necessary life cycle of the data, and the person holds the accountability for the data at any given point in time
How To Data Map
Know the fundamental questions that need to be addressed by the organization?
Nature of private data that gets collected? Does it contain sensitive private details?
Which organization is collecting and using the data? Is the data sent to processor and sub-processor?
If the transfer of data to a subprocessor or processor where are the subprocessor and processor located? Whether the data gets hosted in the processor’s or sub processor’s country outside of EU?
How long the data is retained and how and when is the data collected?
What is the purpose for which the data is collected and how it is used?
Data mapping and its advantages
Data mapping helps not only for the organization but also for the regulatory body and is significant during the breach. The advantages of the data mapping are listed as follows:
GDPR: The data mapping supports in compliance and adherence to some critical GDPR factors such as:
Maintenance of the data lifecycle
The records are kept in adherence to the rules of GDPR to submit to the regulatory and supervising authorities.
Maintaining Accountabilities of the data for the full data lifecycle.
Evidence for the organization and tells that the data is protected in its full cycle.
Other advantages:
Shows improvement in various areas of the IT systems and business processes by regulating data flows in its life cycle.
It mitigates the event of a data breach by data protection.
Keeping records helps the organization to track the compliance and breach event discoveries with minimized costs.
Helps in data lifecycle management and maintenance of procedures and policies or rules for GDPR.
Data mapping is essential to the organization for its compliance with the GDPR and streamlining the data flows and in general maintenance of data lifecycle management and also simplifying the business and IT systems. This is also helpful for the regulatory body or the supervisory authority and to mitigate the event and impact of the breach.
Data mapping is an activity which requires help from various functions of the organization. Few dedicated staffs are needed for streamlining and maintenance of data flow and maintaining compliance with the requirement. This is an important workout, and the essentials of what we are achieving in the process are as follows:
The importance of the PII being managed by the organization for the entire lifecycle of the information or data.
Where is the data stored such as Tapes, Server, Desktops, Share points or Databases, ?
Who are all responsible for the data in various time and life cycle of data?
Who has the privilege to access information or data?
Don’t forget to consider the data touch points and the systems interfaces along with the processor and sub-processors.
The best way to initiate is to talk to every person holding data and function or division head who is accountable for the data. For example, the HR may have data of on candidates and staff of the organization and most likely contain the PII information. This information needs to be secured. CRM may provide data on the key customers and may provide PII information. Functions may include data on social security number, Credit card number, and other sensitive PII information.
All these data may be accessed, stored, transmitted and processed in one way or the other. There will be a lot of data touch point in the IT systems. Look for the weak controls and loophole in the policies and who owns the data and how can we mitigate the breach or such an event. One by one writes down on how the data lifecycle is and who is accountable for which sensitive data.
After the data mapping works out gets over, you will find much information on the data flow, who owns what and if there are any vulnerabilities. For example, HR systems may be accessed by IT professional and may have access to sensitive HR data. Whether the IT teams have the necessary privileges to access the HR data and whether HR team knows it? Also, do we have consent from the staff of the organizations to process the data or transmit the data to the partner organization?
Similarly, the CRM and Operations data may be accessed by the sales team to selling the products or services. And whether the CRM and operations team know that another group such as sales team is accessing their data? These are some of the things which we need to work on.
Now, you will have complete information on the data flow on what are the data touch points such as the It systems and who owns or accountable for the sensitive data.
Also after this exercise, you have required an amount of information, and you can start planning and putting controls where ever needed for the organization.
The risk assessment is a mandatory portion of every GDPR process. However, it is not defined on what constitutes risk assessment and what is the definition of risk?
This is because the GDPR applies to a wide variety of the organizations which has data and may be big or small. That is why there is a vague description of risk assessment and is called Data protection Impact assessment or risk assessment in general.
We need to adopt an approach considering the risk to align ourselves with GDPR requirements. Any risk identified by risk assessment or audit or Vulnerability Assessment or various other incidents must be defined, mitigated and reviewed periodically.
You can maintain a record such as a risk profile or risk register and Risk Assessment report which is done on a regular basis.
As per the GDPR we need to maintain all the risks that are assessed by the organization on the data flow and IT systems. Risk assessment is nothing but the risk-based approach to identify risk, mitigate risk by putting necessary control and then review the risks on a periodic basis.
There are various Risk Assessment frameworks such as ISO 31000, ISO 27005, etc. GDPR does not specify how to adopt the risk framework and which structure to choose. It is the independent decision of the organization to assume the risk assessment framework and methods.
The risk assessment methodology consists of either a qualitative risk assessment or quantitative risk assessment. Please refer the risk assessment template to know more about this.
GDPR Article 30 Data Inventory
Article 30 has the following details documented
The name and address of the stakeholders namely the data protection officer, joint controller, controller and their representatives;
The intent of the data processing activity;
A narrative of the classes of private data and persons concerned;
Information on the transfer of personal data of individuals from the EU too and from the EU to a country or organization;
Data transmission within and outside the EU to a country or organization, where appropriate;
Data management after the necessary work, whether stored or deleted by the agreement
Information on technical controls and those of other organizations to regulate data whenever possible;
