You should map activities (instead of information, data flows or processes) as a first step to complying with data protection laws (like the GDPR and the Protection of Personal Information Act (POPI Act)). The law requires larger organisations to create a record of their processing activities. For many, an obvious place to start is to make a list (or inventory) of:

  • all the different specific types of personal data (for example email addresses, telephone numbers and bank account numbers) that you process,
  • how much personal information you process, and
  • where it is stored (in files in a safe, in files on your laptop, in a system, or in the Cloud).

After all, data protection law essentially puts principles in place for you to follow if you want to process personal data. Making a list of personal data seems like an obvious first step. Mapping activities is worth the effort. Is it possible to do?

Outcomes you can achieve

What types of personal information do we process?

The answer for most organisations is actually quite simple – lots of different types. For many organisations, much of the information that they process is personal information. For example, email addresses, telephone numbers, names. The list of types is infinitely long and you could simply carry on forever. Do you actually need to know all the different types you process?

The definition of personal information in the GDPR is “any information relating to an identified or identifiable natural person” and in the POPI Act is “information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person“. So, any information that identifies a person is personal information. Any information that by itself or together with other information identifies me, is my personal information. If the information does not identify me, it is not my personal information. In most organisations, most information is linked to a person and is, therefore, personal information.

It then goes on to provide a list of some types of personal information. Not all, but some. It covers more than your name, telephone number, and address. For example, it deals with your financial, employment, and criminal history. It also includes “a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person“. It also deals with the issue of any correspondence that the company might send its data subject and whether it will be classified as personal information or not. There are many other types of personal information that are not provided as examples. If you are going to make a list of the types of personal information you process you cannot stick to the examples POPI gives, you need to do all of them.

How much information do we process?

Once you have established the different kinds of personal information you process, you could ask how much of it do we process. For example, how many email addresses do we have? Twenty? Fifty thousand? Does it really matter? Maybe, the more you process, the bigger the risks.

Where will we find it?

Everywhere. This is what makes data protection compliance hard. The personal information you process is not going to be separate from your other information neatly in one place (like on just one server). The personal information is going to be amongst all your other information – little bits of it all over the place. In your CRM, your employee records, etc. To document where personal information sits, you will have to document where all information sits. You will find personal information all over the place in organisations. It is in all the records, in all the systems, in all the departments. It is important to know if personal information crosses the borders of one country into another country.

Is mapping data flows worth it?

It depends. Having a complete and accurate data inventory and data flow map is the ideal position to be in. Especially if you need these for business requirements in addition to the regulatory requirements. Data protection law requires larger organisations to have a record of processing activities and not necessarily an inventory or map of the personal data you process. Having an inventory or map of all your data, including personal data, can be very useful. The problem is that this can take time and be a costly exercise especially if you are using people to do it.

It is a virtually impossible task to inventory of all your personal data without using software 

You also have to ask yourself what you are going to do with the inventory and map? You should be clear on what outcome you are seeking to achieve. Two questions you can ask yourself:

  1. Has our organisation already done this exercise in another territory or for another purpose?
  2. What data protection software are we going to use to do this?

Special personal information and personal information concerning children

But there are two important exceptions that are special personal information and personal information concerning children. You should know whether you process any special personal information. Special personal information is:

  • religious or philosophical beliefs,
  • race or ethnic origin,
  • trade union membership or political persuasion,
  • health, or sex life or sexual orientation,
  • genetic or biometric information for the purpose of uniquely identifying a natural person,
  • criminal behaviour

(bold indicates the extra categories of special personal information in the GDPR)

You should know whether you process personal information concerning a child (under 18 years in South Africa and 16 in the EU).

You can only process these kinds of personal information if the law authorises you to do so. So, you do need a list (or inventory) of these kinds of personal information as well as mapping activities relating to the processing of this information. You also need to know when you are processing account numbers.

It’s better to Map Activities

In our view, it makes much more sense to map activities. By map we mean unpack, document, list or make an inventory of your activities where you process personal data. The concept of an activity related to the processing of personal data runs like a golden thread through data protection laws. You should map activities (and not data or processes) when you are complying with data protection laws. An example of an activity is direct electronic marketing (like email and SMS). The context of the activity for which personal data is being processed is always relevant and important.

An activity is a key concept and is the essence of assessing and complying with data protection law. Most organisations have only about fifty or so activities related to personal data. For this reason, it becomes a lot easier to map your activities. It doesn’t take nearly as much time. And in any case, it becomes easier to assess the impact of data protection law (and analyse the gap) on these activities.

Information or data is meaningless without the context of the activity that relates to it. A list of the personal data that you process only gives you half of the picture. You will be lost without the activity that relates to it. What role do you perform regards that personal data? Are you the controller (responsible party) or the processor (operator)? Who is the data subject? What is the purpose that relates to the personal data? What is the manner in which you process?

If you map activities, you can implement data protection law in a practical manner. It is not only a better way of doing it but also a quicker and therefore cheaper way of doing it. It also enables you to initially focus on just one activity that really impacts your bottom line. If you focus on activities and not data, it will help you achieve your project objectives.