5 Reasons Why Data-flow Maps with Data Lineages are a Must in Data Protection

Instead of just documenting your processing activities with text and field forms, visualization with data-flow maps offers a more understandable and concrete way of describing the processing of personal data. Some companies rely on just drawing a data-flow map using, e.g., MS Visio. However, other companies go further and use tools that allow documenting the underlying data lineages in the data-flow maps.

So what are data lineages? A data lineage tells the origin and the route of any individual data element's journey in time across various points of processing. Any processed personal data type can go through several IT systems, datastorages, servers, devices, and other information stopping points during its processing.

One of the problems many companies have is that they don't know how all the personal data has ended up into their systems and datastorages. Taking a look at just one system's data inventory, it's hard to know what are the data subject categories, data sources, and step-by-step data lineages of each personal data element.

Then, why is it important to go beyond just data-flow map visualizations, and describe your data lineages?

Here are 5 major reasons:

1. For informing data subjects

If you do not understand, how the data lineages (or data life cycles) and all the stopping points of the processed personal data elements, you run a high risk that you are not informing your data subjects correctly. You cannot create and maintain accurate privacy notices, if you don't understand all the stopping points and processing steps that happen during each personal data element's journey. Not knowing all the points of processing could also lead to processing personal data for hidden purposes done by your organization or its vendors, which fail to be informed to the data subjects.

2. For implementing data subject rights (especially the right to be forgotten)

As we know, personal data-flows can take place via many data lineage points. All those systems, databases, backups, drives, devices, servers, files, and filing cabinets should be identified to fully implement data subject rights. The process of using data-flow maps and data lineages help you reveal places where personal data ends up. And where there is personal data, there should be technical and organizational measures in place to ensure that data subject rights can be applied truly. E.g., the right to erasure needs to be applied in all those data lineage points when there is no purpose or lawful basis to continue processing.

3. For Identifying Third Country Risks

Personal data could move via 3rd country stopping points in its route. Many data lineages need consist of systems and datastorages located in servers that are in the US. You might miss a need to conduct a transfer impact assessment (TIA).

4. For Identifying Third Party Risks

Personal data could move via a high-risk 3rd party organization, increasing risk to the whole processing. Typically data-flows of processing activities consist of several systems, datastorages, servers, and data centers, and any of them might bring new sub-processors to the processing. Some of those sub-processors could have poor data protection practices and causes higher risk to data subjects as a result of your processing. Documenting data lineages helps you keep track of points of uncertainty, and guides you to ask the right questions.

5. For Identifying Information Security Risk

Personal data could move via a high-risk systems, datastorages, or devices with few or no information security controls implemented. Without data lineage descriptions, you could miss poor security data lineage points, which will elevate the risk of data breaches, and unauthorized access to personal data.

Ultimately, data-flow maps enriched with data lineage descriptions allows your company to stay on track with its legal requirements, risks to the data subjects, and risks to the organization itself. Moreover, describing data lineages helps manage information security risks of business data as well.

Don't just take our word for it

Try PrivacyDesigner out for yourself. Book a demo now and see how it can transform the way you approach privacy compliance. With a clear, visual representation of your data flows, you'll be able to identify risks and opportunities, and make informed decisions about how to protect personal data.