Manual de Data Mapping LGPD The scope of this article is to present a guideline on how to map the flow of personal data in an organization that wants to comply with the General Data Protection Law (LGPD)
” The organization must implement controls that guarantee the security of personal data and mitigate risks of violation, for this, it is necessary to have mapped the inputs, processing and outputs of data in the company, this activity is called Data Mapping. “
1. Introduction
Manual de Data Mapping LGPD – To meet the requirements established in the General Data Protection Law (LGPD) and ensure the rights of the Data Holder, according to article 18 of the Law, the organization must implement controls that guarantee the security of personal data and mitigate risks of violation .
For this, it is necessary to have mapped the inputs, processing and outputs of data in the company, this activity is called Data Mapping.
The area responsible for implementing the privacy governance program , pursuant to article 50 of the Law, has a series of premises to comply with in order to guarantee data protection and transparency for the data subject.
First, it is necessary to carry out a survey of the company’s current scenario by mapping the organization’s data.
This area must establish a step by step of the activities to be carried out and present for approval by senior management.
She has the role of fostering a culture of data protection with the other executives of the company, this action will make the approach to the business areas more efficient.
Below is an example of planning that can be followed:
1. Knowing the areas of the organization
2. Establishing an interview schedule with the areas
3. Conducting a data flow mapping interview
4. Consolidating the analyzes
5. Validating the flow with the interviewed area
6. Present it to top management
7. Implement improvements
Data flow mapping consists of defining which business processes of the organization have processing of personal data of employees, third parties, customers or any other natural person who has any commercial relationship with the organization and after treatment, document what the area does with that data.
First, the organization must define in which medium it will carry out this mapping, for example, whether it will use an Excel spreadsheet or will acquire software on the market that already has a pre-established model.
If you choose to purchase software, it is important to raise all the IT requirements that the software must have to suit the company’s business model.
I emphasize that, although many companies sell ready-made solutions, it is important to be able to customize options according to the company’s needs, guaranteeing an adherent mapping.
With the means in which the mapping will be carried out defined, the next step is to establish what types of information this document should contain, that is, what will be the essential information according to the company’s needs to ensure the mapping of the life cycle of the personal data.
2. Knowing the Business Areas
Manual de Data Mapping LGPD – The first step I recommend is to categorize the company by areas, in general terms, an organization is basically divided into Human Resources, Marketing and Communication, Legal, Accounting, Treasury, Internal Audit, Operation or Production depending on the company’s business, Information Technology , Compliance, Purchasing and Logistics.
For each of these areas, the business process they perform must be mapped at a high level. It is noteworthy that, depending on the segment in which it is inserted, this activity will be more complex and some caveats should be made.
3. Establish Schedule of Interviews with the Areas
Manual de Data Mapping LGPD – Having defined the company’s areas based on the organizational chart, it is time to plan the schedule.
In project management, the time requirement is crucial to successfully achieve the purpose for which the project was established, therefore it is recommended to have a document with the dates of the meetings, containing the focal points of each area, times, status (Scheduled, Performed, Canceled and Rescheduled) and notes.
This schedule must be aligned with everyone involved to mitigate unforeseen events and communication failures.
4. Carry out the Personal Data Flow Mapping Interviews
The mapping can be done through an interview, sending spreadsheets, direct observation of the execution of activities, among other methods.
What I recommend is that an interview be carried out with the area, as this reduces the risk of misinterpretation of the items in the data mapping document.
The strategy for conducting the interview will depend on the interviewer’s level of knowledge about the area’s activities and the company’s business.
For example, if the interviewer knows which processes make up the area, he can prepare a specific questionnaire with questions directed towards personal data.
If the interviewer does not have this knowledge, he should start with basic questions, such as the scope of the area, what the area delivers, the mission and vision of the area for the company and what are the business processes that permeate the area. This understanding will help in the elaboration of the data flow.
The next step is to know which of these processes have personal data.
At this point, it is important to do an overview of the area being interviewed, about the definitions of personal data, sensitive personal data, anonymized data, database, treatment and the figures of the Law: holder, operator, controller and person in charge of this, the definitions that the General Data Protection Law brings in its scope must be used, according to article 5 of the Law.
As a good practice, it is important to emphasize the distinction between personal data and business data, since this differentiation raises many doubts among those involved. This overview should take approximately 20 minutes.
With this leveling of knowledge, it is time for the second block of questions in order to raise what types of data are collected, remembering that the objective is to map the business processes that handle personal data.
So in this sense we can divide the classification of data into 2 macro groups, personal data: name, telephone, CPF, RG, date of birth, gender, IP address, work permit number, marital status, geolocation, level of education, profession , bank account, email, voter registration, etc.
And sensitive personal data: racial origin, religious conviction, political opinion, union membership, health data, genetic data, biometrics, facial recognition.
These macro groups can still be divided into subcategories to better organize the classification of personal data, such as: identification data, economic data, education data, behavioral data, etc.
The next step is to find out how the area had access to this data, whether it was collected directly from the holder, or whether it was received from another area of the company, or from another company.
Next, it is important to determine what type of treatment the area does with the data, according to the LGPD, treatment “is any operation carried out with personal data”.
Law 13,709 in article 5 provides some examples of treatment, which are: “collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, modification, communication , transfer, diffusion or extraction.”
For better clarification, I suggest that when you think about data processing, relate it to every action you can do, that is, if you can conjugate a verb for the action you are performing with the data, then it is a type of treatment.
The most common examples of data processing are: collection, receipt, consultation, alteration, classification, transfer, storage and elimination.
At this point, we will have clear the roles of the company’s treatment agent, whether the company is the controller and operator or only exercises one of the roles. This definition is important for establishing contractual clauses and revisions.
After the treatment, it is necessary to identify the next activity that the area performs, for example, if it transfers to another area to continue with other treatments, or transfers to respond to some request.
This information is important to be able to link all the areas that had access to the data and carried out some treatment.
During this survey, questioning of Information Security controls can be included , the LGPD makes it clear that the data controller must guarantee measures and technical mechanisms to protect personal data.
To make the interview more fluid, during the transfer approach, the following questions can be included: Is there any data anonymization mechanism, or pseudo-anonymization to carry out the transfer?
Is the document sent with any access classification? When the other area/company receives, is there the possibility of storage in the machine? Does this transfer take place in national or international territory?
For cases where there is data storage, new questions must be asked, are there policies and procedures published and in force in the company that guide the subject?
Or does the area store indefinitely?
Or does data retention follow any law?
Where is this data stored?
What systems are used?
In which media are these data presented (physical or digital)?
At this point, it is important that we raise this relationship, regarding the purpose of storing personal data. These questions help identify which security measures should be adopted for each scenario.
5. Consolidate the analysis
Manual de Data Mapping LGPD – With the completion of the interviews, the team responsible for surveying the data stream must consolidate the information gathered during the interviews and correlate opportunities for improvement for each data stream.
At this stage, it is important to highlight the Information Security methods, which mechanisms, controls, processes, procedures and the like must be established to guarantee the maintenance of a secure data flow system, mitigating security violations and guaranteeing the Holder’s Rights.
Some examples of fields that the data flow mapping may contain are: Company area, Focal point of the interview, processes managed by the area, related documents, related controls, types of personal data, treatment of personal data, reason for collecting personal data – purpose, where the data is stored, retention period, security measure already established, identified gap and description of the action to correct the gap.
6. Validate with the Interviewed Area
Manual de Data Mapping LGPD – It is recommended as a good practice, the elaboration of the representation of the process in diagram.
Designing the high-level process flow will aid in understanding the lifecycle of personnel data in that specific area. For this, it is necessary to define which design process modeling notation will be used, the most common for this case being flowchart and BPMN (Business Process Model and Notation).
The approach at this stage is one of continuous improvement, the validation aims to present the work carried out with the identified opportunities for improvement to the area and carry out any type of final adjustment before presenting it to Senior Management.
This phase is important to avoid any kind of communication noise and not cause any discomfort or surprise to anyone involved.
7. Present to Senior Management
Manual de Data Mapping LGPD – The penultimate phase is to present to senior management at a high level the mapping of the data flow and the opportunities for improvement raised, validate delivery, resolve doubts, establish strategies and prioritize which opportunities for improvement will be implemented and who will be responsible for implementation.
8. Implement Improvement Opportunities
The implementation of the improvement must be carried out jointly between the area that led to the GAP appointment and the internal data protection area.
This second will monitor the development of the implementation, the area must establish a focal point that will lead the implementation and report to the data protection team.
It is worth remembering that the drivers of the actions that will be carried out will already be described in the gap.
9. Conclusion
After implementing improvements, it is important to continue monitoring the data flow.
As the organization is a living environment, and due to the market and new technologies, it is under development, new business processes may emerge, scope of areas may change, so it is necessary to review this inventory.
This monitoring must be within the scope of the privacy governance team, which will be responsible for implementing the personal data protection program in the company.
I also emphasize that the application of continuous improvement is essential for the continuity of compliance with data protection in the organization.
The organization must implement controls that guarantee the security of personal data and mitigate risksof violation, for this, it is necessary to have mapped the inputs, processing and outputs of data in the company, this activity is called Data Mapping.
Gabriela Berge is a consultant in Privacy, Data Protection and Cybersecurity, Production Engineer graduated from the Federal Center for Technological Education Celso Sukow da Fonseca (RJ), with knowledge in Business Process Management from the State University of Rio de Janeiro. With professional experience in the area of process management and governance, she LGPD compliance projects and information security governance. It exin certified PDPE, ISFS (ISO / EIC 27001), PDPF, PDPP and DPO .
She was our student in the Classroom RIO1, also again in an EAD class and today she is a guest professor at the Privacy Academy of the course “Process Management in the LGPD “.