More Related Content
Similar to 1211000-792-2-Promontory - Data Mapping Slides 06-06-16
Similar to 1211000-792-2-Promontory - Data Mapping Slides 06-06-16 (20)
1211000-792-2-Promontory - Data Mapping Slides 06-06-16
- 2. CONFIDENTIAL© 2016 Promontory Financial Group LLC. All rights reserved. 2
Typical Data Lifecycle Mapping Questions
Key data lifecycle categories Key elements of information captured
1. Basic Details • Process or activity to which the system relates
• Ownership of data
• Data subjects to whom thepersonal informationrelates (e.g.,applicants, employees, contractors)
• Data Categories (e.g., basic personal details; healthandwelfare; performance and pay; employmentdetails)
• Specific sensitive or other confidential data types involved (e.g., credit card information, salary, performance
reviews, disability details, diversity information)
2. Data Collection • Source of data (i.e.,where thepersonal information originates prior to being entered intothe system. For example,
data may be generated from a user of thesystem, anemployeeor applicant or provided by a third party.)
• Means of collection (i.e., how the personal informationwas collected, obtained or generatedfor thepurposesof the
system / process. For example, direct input by employee, email receivedanddata manually input to system by user,
or automated feeds from linked systems or databases.)
3. Data Usage & Data Handling • Purpose of processing the personal information
• Key manual datahandlingor automated dataprocessingactivities
• Handling of hard copy documents or files containingpersonal information
• Hosting, testing and system developmentlocations where applicable
4. Data Transfers and Access &
Disclosures
• Internal, external andonward transfers,access or disclosures to personal information
• Disclosures to service providers, vendors, and relevantparties
• Assess locations for the purposes ofidentifyingcross border datatransfers
5. Data Retention & Destruction • Data retention anddestructionprocesses around how personal informationis archived or destroyed
• Retention periods prior to destruction
• Responsibilities of external vendors for the archiving / destruction of personal informationtransferred
6. Security • Scope to includespecific technical andorganizational security considerations whichhavebeen applied. For
example, access controls andrestrictions, use of passwords / encryption
The key questions and considerations below can be used to assess the privacy impactof the data flows identified and can be
instrumental in the developmentofdata maps.
- 3. CONFIDENTIAL© 2016 Promontory Financial Group LLC. All rights reserved. 3
Recent Data Mapping Framework Project
Creation of Data Mapping Toolkit
ü Alignment with and cross-reference to business process mapping
ü Provides a detailed record of key processes/activities within theorganisation
ü Aids in the identification of knowledge gaps toprompt further investigation
ü Increases knowledge of data handling practices within the organisation
ü Forms a basis for best practices and regulator standards
• A toolkit of data mapping templates, information gathering and reporting tools,
user guidance and training materials was produced to allow the client to roll out
the data mapping exercise to other areas of its business
• Training workshops and management briefing sessions were run to explain how to
apply the methodology and use the toolkit in order to deploy and maintain the
Data Mapping Framework
• QA managers and related local contacts were assigned responsibility for the
maintenance and updating of the Data Mapping Framework, including periodic
milestones and reporting obligations
Sample Pilot Data Mapping Exercise
• Interviews were undertaken with stakeholders relevant
to the data lifecycle of the pilot business areas
• A review was made of the existing business process
data maps and QA documentation to align with and
validate data lifecycle practices identified during
information gathering
• Fieldwork also included interviews and documentation
reviews relating to management of key systems and
data lifecycle related technology
• Data Mapping tables, diagrams and reports were refined
during the pilot phase and provided the basis for the
Data Mapping Toolkit templates and guidance
Data
Lifecycle
Mapping
Table
Data
Lifecycle
Mapping
Reports
Data
Maps &
Key
User
Guidance
Data
Types
Guidance
Data Lifecycle Mapping Framework