In this video, Mandy Huth explores Article 35 of the GDPR regulation. Learn about privacy impact assessments, data mapping exercises, and the key elements of data mapping.
- [Instructor] Article 35 of GDPR requires organizations to execute an impact analysis of the data they process. Understanding the impact to privacy requires understanding the nature of the data as well as how it is being processed. Classifying certain data as sensitive or confidential can help an organization to identify data that needs additional protections. One way to do that in a technical fashion would be the use of tagging. A data mapping exercise is key to assessing the privacy impact on data.
A data mapping exercise includes three key components. The first part of a mapping exercise is data discovery. It's important for an organization to understand where data is flowing. This can be in several fashions: from the inside, to the outside of the European Union, or perhaps from an organization to its suppliers or its sub-suppliers. Next is reviewing use of the data during the lifecycle and its practical implications.
Some questions to consider here would be are there any unforeseen or unintended uses of the data happening? Another question could be, could the collected be used outside of its intended purpose in the future? If either of those are true, an organization will want to review if they should be collecting that data or not. Last, is mapping the flow and criticality of the data to the appropriate technical and organizational safeguards. In this step creating heat maps around the data an organization is processing can help.
Knowing which data is critical or confidential, which data is sensitive, and which data may be public, can help an organization determine which safeguards to use for which types of data. There are several key elements to consider with this mapping, and the heat maps one may use. There are many elements involved in a data mapping. First, what is the nature and category of the data? What formats are data being stored in? Are they hard copy, digital, or in a database? What is the transfer method between organizations? A business should consider both internal and external parties that may be included.
How long are you keeping the data? And where's the data residing? Finally, ensure the party ultimately accountable for the protection of the data is identified during this exercise. Knowing what data an organization is processing and the life cycle of that data is a core tenant to complying with the data privacy impact assessment required by GDPR.
DISCLAIMER: Neither LinkedIn nor the instructor represents you, and they are not giving legal advice. The information conveyed through this course is not intended to give legal advice, but instead to communicate information to help viewers understand the basics of the topic presented. Certain concepts may not apply in all countries. The views (and legal interpretations) presented in this course do not necessarily represent the views of LinkedIn or Lynda.com.
- Compliance deadlines and penalties
- Data controllers and data processors under GDPR
- Exploring the role of the data protection office
- Technical measures outlined in the GDPR
- Reviewing the right to be forgotten and the situations that allow erasure
- Rules for children under the age of 16
- Breach notification