Control measure: A data flow mapping exercise is undertaken to document the data that flows in, around, and out of information processing systems or services.
Risk: Without an understanding of what personal information is being processed, by whom and where, and who it is being shared with, there is a risk of a data breach happening that is uncontrolled or unseen. Information may be lost, misplaced or processed unlawfully. This may breach UK GDPR articles 5(1)(f), 5(2), and 32.
Ways to meet our expectations:
- Complete a comprehensive information audit across all areas or departments.
- Produce an information flow map based on the information audit.
- Repeat the information audit and review the information flow map regularly to capture changes.
- Log details about information assets in an information asset register.
- Assign responsibilities for maintaining and amending the information asset register.
Options to consider:
- Use a system that automatically prompts key staff or managers to update details about their information flows.
- Procure software that maps information flows through IT systems automatically.
- Assign a named staff member in each area or department to carry out and complete information audits and update details.
Control measure: An inventory or asset register is in place which includes details of records held, the information they contain, the format, and their value.
Risk: Without an inventory or asset register, personal information may be processed without awareness or applying controls. This may breach UK GDPR articles 5(1)(f), 5(2), and 32.
Ways to meet our expectations:
- Have a controlled inventory or register of all records.
- Keep the inventory or register updated.
- Audit the inventory or register regularly to ensure it is accurate.
- Use the inventory or register to inform records management practices.
Options to consider:
- Use online forms to capture all relevant information about records.
Control measure: The Record of processing activities (ROPA) includes details of all processing, informed by data flow mapping exercises.
Risk: Without a ROPA, personal information may be processed without controls in place to meet the requirements of the law. This may breach UK GDPR article 30.
Ways to meet our expectations:
- Update the ROPA if there are any changes to the inventory or register of information flows to ensure details match.
- Document the purpose, categories of people, and categories of personal information, for each processing activity in your ROPA and whether you are a controller, joint controller or processor.
- Document the lawful basis, and additional conditions, if required, for each processing activity in your ROPA.
- Document the source of personal information you process, where and how you store it, and the retention period, for each processing activity in your ROPA.
- Document the technical and organisational security measures for each processing activity in your ROPA.
- Document the recipients of shared information, and safeguards and adequacy decisions if information is transferred internationally, for each processing activity in your ROPA.
- Include links to other relevant information (eg consent logs, third-party contracts, data protection impact assessments (DPIA), and personal data breach reports).
Options to consider:
- Use required fields in your ROPA to ensure you hold complete details for each processing activity.
- Use a privacy management solution that links your ROPA, information inventories or registers, DPIAs, records of consent, controller–processor contracts and the personal data breach log, so information is easily accessible.
- Use a system that automatically prompts key staff or managers to update details about their processing activities.