You should map activities instead of information or data flows as a first step to complying with data protection laws (like the GDPR and the Protection of Personal Information Act (POPI Act)). Many of our clients are struggling with a similar issue when it comes to complying with data protection laws. For many, an obvious place to start is to make a list (or inventory) of:
- all the different specific types of personal information (for example email addresses, telephone numbers and bank account numbers) that you process,
- how much personal information you process, and
- where it is stored (in files in a safe, on files on your laptop, in the Cloud).
After all, data protection laws essentially put conditions in place for you to follow if you want to process personal information. Making a list of personal information seems like an obvious first step. Is it worth the effort? Is it possible to do? What will you do with the list? Is there a better way to spend valuable time and resources?
What types of personal information do we process?
The answer for most organisations is actually quite simple – lots of different types. For many organisations, much of the information that they process is personal information. For example, email addresses, telephone numbers, names. The list of types is infinitely long and you could simply carry on forever. Do you actually need to know all the different types you process?
The definition of personal information in the GDPR is “any information relating to an identified or identifiable natural person” and in the POPI Act is “information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person“. So, any information that identifies a person is personal information. Any information that by itself or together with other information identifies me, is my personal information. If the information does not identify me, it is not my personal information. In most organisations, most information is linked to a person and is, therefore, personal information.
It then goes on to provide a list of some types of personal information. Not all, but some. It covers more than your name, telephone number, and address. For example, it deals with your financial, employment and criminal history.It also includes “a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person“. It also deals with the issue of any correspondence that the company might send its data subject and whether it will be classified as personal information or not. There are many other types of personal information that are not provided as examples. If you are going to make a list of the types of personal information you process you cannot stick to the examples POPI gives, you need to do all of them.
How much information do we process?
Once you have established the different kinds of personal information you process, you could ask how much of it do we process. For example, how many email addresses do we have? Twenty? Fifty thousand? Does it really matter? Maybe, the more you process, the bigger the risks.
Where will we find it?
Everywhere. This is what makes data protection compliance hard. The personal information you process is not going to be separate from your other information neatly in one place (like on just one server). The personal information is going to be amongst all your other information – little bits of it all over the place. In your CRM, your employee records, etc. To document where personal information sits, you will have to document where all information sits.
You will find personal information all over the place in organisations. It is in all the records, in all the systems, in all the departments. It is important to know if personal information crosses the borders of one country into another country.
Is mapping data flows worth it?
In my view, no. It is not worth making a specific list of personal information. It might be worth having a high-level general view, but to get to a level of detail is too hard and costly. And probably impossible to do accurately.
It is a virtually impossible task to inventory of all your personal information
This might be a task worth undertaking if you had all the human resources to document all personal information. But, it is going to take a lot of time and could be very costly. You also have to ask yourself what you are going to do with the lists? How is it helpful to know that you process lots all kinds of personal information and that it is everywhere? Not very.
Special Personal Information and personal information concerning Children
But there are two important exceptions that are special personal information and personal information concerning children. You should know whether you process any special personal information. Special personal information is:
- religious or philosophical beliefs,
- race or ethnic origin,
- trade union membership or political persuasion,
- health, or sex life or sexual orientation,
- genetic or biometric information for the purpose of uniquely identifying a natural person,
- criminal behaviour
(bold indicates the extra categories of special personal information in the GDPR)
You should know whether you process personal information concerning a child (under 18 years in South Africa and 16 in the EU).
You can only process these kinds of personal information if the law authorises you to do so. So, you do need a list (or inventory) of these kinds of personal information as well as mapping activities relating to the processing of this information. You also need to know when you are processing account numbers.
It’s better to Map Activities
In our view, it makes much more sense to map activities. By map we mean unpack, document, list or make an inventory of your activities where you process personal information. The concept of an activity related to the processing of personal information runs like a golden thread throughout data protection laws. You should map activities (and not information) when you are complying with data protection laws. An example of an activity is direct electronic marketing (like email and SMS). The context of the activity for which personal information is being processed is always relevant and important.
An activity is a key concept and is the essence of assessing and complying with data protection law in my view. Most organisations have only about twenty or so activities related to personal information. For this reason, it becomes a lot easier to map your activities. It doesn’t take nearly as much time. And in any case, it becomes easier to assess the impact of data protection law on these activities.
Information or data is meaningless without the context of the activity that relates to it. A list of the personal information that you process only gives you half of the picture. You will be lost without the activity that relates to it. What role do you perform regards that personal information? Are you the controller (responsible party) or the processor (operator)? Who is the data subject? What is the purpose that relates to the personal information? What is the manner in which you process?
If you map activities, you can implement data protection law in a practical manner. It is not only a better way of doing it but also a quicker and therefore cheaper way of doing it. It also enables you to initially focus on just one activity that really impacts on your bottom line. If you focus on activities and not information, it will help you achieve your project objectives.
Actions you can take:
- Map your activities using our mappers, which we can provide to you.
- Record your activities in an Activities Map. We can give you a template.
- Learn how to map activities by attending one of our workshops or joining our Data Protection Compliance Programme.
- Ask us to map your activities for you, which may include doing private workshops.