Skip to main content

GDPR: which tool to use for mapping data flows

·3 mins
GDPR Data Flows Records of Processing Data Protection Accountability Frameworks

GDPR: which tool to use for mapping data flows

Note: I wrote this article in March 2016. You may find the article and comments interesting, but for a more updated view and a useful template I suggest you read my later article, GDPR data flow mapping — an approach.

Which tools can organisations use to map personal data flows for GDPR? #

Organisations approaching data flow mapping for GDPR have a wide range of options — from general-purpose tools such as Visio, PowerPoint, Excel and Word, to enterprise architecture platforms such as ARIS, to dedicated Data Protection Management System tools that include data flow mapping functionality. The right choice depends on the scale of the organisation, the complexity of its processing activities, and whether the tool can support ongoing maintenance of the data inventory after the initial project is complete. At the time of writing, one tool worth investigating is Microsoft’s free Threat Modelling Tool, designed for data flow mapping and threat analysis.

Elements of Article 30 — records of processing activities — point to the need for organisations to map data flows for personal data, including sensitive personal data and identity data. Many may reach for Visio, PowerPoint, Excel or Word, and some may even use the back of a fag packet. Large organisations may already have enterprise tools such as ARIS that could be fit for the purpose.

Although Data Protection Management System tools are emerging that may include data flow mapping functionality, I am curious to know how other organisations intend to tackle this significant task within their GDPR project — and, beyond the project, how they intend to maintain the personal data inventory on an ongoing basis.

Is Microsoft’s Threat Modelling Tool worth considering for GDPR data flow mapping? #

Microsoft’s Threat Modelling Tool supports their own Security Development Lifecycle (SDL Practice #7) and has capable functionality for data flow mapping, understanding threats, and documenting countermeasures. It is based around the STRIDE threat classification, which does not specifically cover all data protection threats — though this is not a significant obstacle when adapting it for GDPR purposes. A further advantage is that the tool is free. It has been available for several years, with a 2016 version available at the time of writing, which gives it reasonable longevity. An informative video is available that explains the modelling concept and the tool in detail.

A question for practitioners #

How is your organisation approaching data flow mapping for GDPR? And what plans are in place to maintain the personal data inventory after the project closes?

I would be genuinely interested to hear what others are doing.

I help data protection leaders assess and improve their data protection programme capability. If you would like to discuss this in more detail, book a call or explore our services.

Author
Tim Clements
Tim Clements is Business Owner of Purpose and Means, a data protection and GRC consultancy based in Copenhagen, operating globally. He helps data protection and GRC leaders simplify complexity into actionable strategies, providing tools, training, and support to engage and influence across the organisation. Tim is a Chartered Fellow of the BCS (British Computer Society).

Browse by Topic

access controls accountability accountability frameworks ai act ai ethics ai governance ai infrastructure sovereignty ai literacy ai regulation article 12 article 13 article 22 article 25 article 28 article 30 article 32 article 35 article 46 article 5 article 6 article 7 audit and assessment automated decision-making awareness awareness campaigns behaviour change beyond legal board level board reporting case law change management chief people officer cloud infrastructure compliance monitoring consent cookie compliance cross-border transfers customer success dark patterns data accuracy data breach notification data flows data mapping data minimisation data processing agreements data protection data protection by design data protection culture data protection day data protection hero data protection leader data quality data residency data retention data science data sovereignty data subject rights datatilsynet deceptive design direct marketing dora dpia education employee data employee engagement enterprise architecture eprivacy esg executive communication external legal counsel finance and banking gdpr gdpr at 10 generative ai governance grc healthcare horizon scanning hr and data protection hr and employment incident response information security intellectual property internal communications international transfers lawful basis leadership lego serious play machine learning marketing nis2 privacy by design privacy culture product management profiling public sector purpose limitation quantum computing records of processing regulatory guidance risk management risk reduction ropa sales security software development special category data standard contractual clauses strategic planning sub-processors supply chain sustainability system design third-party risk training design transparency trend radar ux design vendor management visual communication weak signals workshop facilitation

Related Posts