There is an ancient proverb that says “a journey of a thousand miles begins with a single step”. In today’s context, if the journey is an organisation’s efforts to comply with its data protection obligations, then the single step is the process of taking stock of all the personal data it holds.
This process of stock taking is known by many terms including ‘data mapping’ or creating a ‘data inventory’.[1] The Personal Data Protection Bill, 2019 (“PDP Bill”) does not define either of these terms and it places no explicit obligation on organisations to carry out such a task. That being said, such an exercise is a critical starting point to comply with other obligations under the law. For instance, implementing ‘privacy by design’ would require an organisation to adopt practices to anticipate, identify and avoid harm to individuals from data processing. To do this effectively, one would need to understand different categories of data processed, assign different risk levels to each category and build systems to secure the data to manage those risks. An inventory would be necessary for demonstrating compliance with several other obligations, such as consent, storage limitation, responding to requests from data principals and data protection impact assessments.
How should one go about it? Ask questions.
The mapping and inventory exercise seeks answers to certain questions regarding the data that an organisation collects and uses. The mapping answers the ‘where’ of the data: where does it come from, where all does it go, which departments use it, where is it stored (physically), is it sent across borders? An organisation may not have instant visibility over all the data it processes, since data may reside on staff devices, email systems, with service providers, on the cloud, among other latent systems/ processes. The inventory answers the ‘why’, ‘how’, and ‘who’: why is it collected, how securely is it stored, how long do you retain it, whose data is it, and who is responsible for creating, updating and deleting it? Therefore, a starting point is creating a questionnaire which captures all the questions which need answering.
Who should answer?
In any organisation, there are several different departments which interact with different types of data. For instance, Sales and Marketing will have customer data, Human Resources will have data about employees and job applicants, Finance will have data about customer invoices and employee payroll and the IT Department will have knowledge of software such as ERP and CRM tools being used in the organisation. Senior personnel from each different department should be tasked with providing accurate and detailed responses to the questionnaire. A person familiar with data protection obligations, either within the organisation or an external consultant, should be tasked with supervising this process. They can provide guidance to the respondents so that they fully understand the import of the questions and the objectives of the exercise. This person can also be tasked with collating the responses received from the various departments.
Once responses to the questionnaire have been collated, it should be further refined. The data should be categorised into different categories such a ‘personal data’, ‘sensitive personal data’ and ‘critical personal data’ and appropriate risk levels should be mapped against different processing activities. The legal basis for each data processing activity should be identified. If personal data is being shared outside the organisation, the reasons and any underlying contractual arrangement should be mapped. A person with expertise in data protection compliances should be responsible for this process. The gaps in an organisation’s data-handling practices, identified through this process, are what need to be addressed in the next stages of compliance.
Technology can help with this process
Depending on the size of your organisation and the complexity of your data processing activities, it is possible that manual method described above will be extremely challenging to implement. Fear not, there are several automated tools which have specifically been designed to aid in the process of creating data maps, inventories and also the entire compliance cycle. Companies like OneTrust, TrustArc and several others have created software tools which can aid in data mapping, visualising data flows and preparing reports.
Recommendations
Start early: The process of creating a data inventory and mapping data flows can be tricky and involve some trial and error. Compliance with data protection obligations, especially if being done for the first time, can be tricky. You may need sufficient time to redesign existing data flows and enter into appropriate contractual arrangements with your data processors. If the first step is taken early, and done right, it will go a long way in your journey towards PDP compliance.
Allocate responsibility: The importance of the exercise needs to be conveyed to senior stakeholders in the organisation across business functions/departments. All departments must dedicate sufficient resources to spend the time to properly understand the ask and the context, and then provide responses to the questionnaires. A person familiar with data protection compliance obligations must be given the responsibility of supervising the exercise and should be ultimately accountable to senior management.
Seek help: Be willing to hire external consultants or purchase technology tools which will aid your organisation in being compliant with its data protection obligations. Given the large fines associated with non-compliance, it is important not be penny wise pound foolish.
(Authored by Aman Taneja, Senior Associate with inputs from Sreenidhi Srinivasan, Senior Associate and Anirudh Rastogi, Managing Partner at Ikigai Law.)
[1] Rita Heimes, Top 10 operational responses to the GDPR: Data inventory and mapping, available at https://iapp.org/news/a/top-10-operational-responses-to-the-gdpr-data-inventory-and-mapping/