GDPR Data Flow Diagram Template
GDPR (General Data Protection Regulation) is one of the hot topics at the moment and we've been helping clients get their website ready for the pending changes.
One of the trickier required (but useful) tasks we've found is to map the data flow through the organisation. There are a growing number of enterprise grade software solutions however these aren't always practical or straight forward to use.
Although only a small part of the larger piece of work, I thought it worth sharing how we've been documenting the data flow in a way that gets you thinking about the touch points as it may be useful to others.
We've tried a number of the systems available and a variety of formats but have found documenting the entire flow at the highest level and then drilling into specific flows as flow charts has been the simplest solution to grasp and quickly enrich.
How do I go about creating this?
I've attached the Visio Document to get you started but generating this document is fairly simple:
- Write a list of all the main "Sources" for customer data i.e. Website, Phone Calls, Letters etc
- Review each Source and list the ways ("Entry Points") the data can be sent i.e. New Orders, Contact Us Forms, Mailing List Signup Forms etc
- Write down what happens to the data from each Entry Point i.e. do you print it off? Does the data get sent somewhere e.g. MailChimp
Once you've got that information together you should be able to update the attached Visio file with the information. You'll then want to pass it around to the various departments/staff involved in the process and have them review their sections to make sure you've documented everything they do with the data (especially anything offline!).
The overview document highlights a number of key points:
- What format the data transfer takes i.e. Email, Phone, Fax and Paper
- Whether the connection is secure, encrypted, masked etc
- Who or what "touches" the data
- Is the data stored securely
Once done, review the process as a whole and resolve any issues such as information being shared over a non-secure connections or staff having access to more information than they should.
This overview should also help you write your Right to be Forgotten policy as it highlights the various areas of the business that will need to be contacted should someone ask to be removed.
I'd be interested to know if this is how you're documenting the flow or anything we're missing that would be worth adding.
The Site Doctor design, develop and consult on ecommerce solutions for businesses of all sizes. If you are concerned as to how GDPR may affect your ecommerce website, get in contact today to see if we can help.