Are you busy preparing for the GDPR but getting stuck with a data flow analysis? Then you need to read this: When it comes to complying with the GDPR, a comprehensive, detailed dataflow analysis is neither necessary nor mandatory!
It is unclear where the speculation began, but at some point people began discussing the need to perform lengthy dataflow analyses to comply with the GDPR.
Likely, this resulted from an embellishment of the regulatory requirements, and it somehow seems to have stuck around. The fact is - the Data Protection Regulation does not explicitly mention nor require you to carry out a dataflow analysis! It does however state that you need to “maintain a record” of your relevant “processing activities”. One could argue semantics here, but it is easy to see where exaggerations and embellishments can be easily introduced.
A holistic dataflow analysis is a complete map of the data moving throughout your entire IT infrastructure, including how data flows through and between all applications, processes, and systems, sometimes down to the very last detail.
If your organisation has even a small IT infrastructure, delving into its data flows can easily become a complex project. It is not uncommon, for example, for local governments to use hundreds of different systems. And because a dataflow is “live”, analyses need to be continuously updated, meaning that you need to restart before even finishing.
For some systems or processes, a data-flow analysis may be required for specific reasons. However, since the EU GDPR does not explicitly require a dataflow analysis, why spend unnecessary time and effort doing so?
On the other hand, maintaining a record of relevant data processing activities is achievable. Ultimately, the aim is to keep an up-to-date log of recording relevant data processing activities. This is to ensure you know what personal data is collected, why it is collected and used, and where it is processed and stored.
We prefer a pragmatic approach and generally recommend that you follow the requirements for GDPR compliance. It is too easy to over-complicate and over-analyse things, and lose sight of what is required. As such, since GDPR is an ongoing process, not a once-off endeavour, it makes more sense to start by understanding and registering your processing activities at a high level, and revisiting and refining them later. This will allow more time and energy to be spent on the other aspects required for GDPR compliance, which is not far off.
The GDPR Article 30 “Records of processing activities” details the requirements for compliance, for both the “Controller” and “Processor”. Briefly, as a Data Controller, the record of processing activities must contain the following information:
And as a Data Processor, the record of processing activities must contain the following information:
Furthermore, it's important to keep in mind that the regulation isn’t designed to introduce a massive workload and doesn’t in itself require a comprehensive analysis of data streams. As long as you stick to what's necessary, you'll be well on your way to being compliant when the GDPR comes into force next year.
Download our Guide to complying with GDPR where we provide you with seven steps that lead to GDPR compliance - the first of which is registering your processing activities!