The first steps towards a successful PDPA compliance program are reliant upon an organization’s ability to know the journey of a customer’s data from the collection, how it is processed as it passes through the organization, where it is stored and how long.
But what exactly is a data map, and why do you need one?
Organizations understand the need to identify a lawful basis to collect and process personal data. They comprehend the benefits that hiring a Data Protection Officer (DPO) will bring, and whether or not they’re legally mandated to appoint one. They’re also well-read in terms of obligations regarding the international transfer of personal data outside of the Kingdom.
But if there’s one area of data protection law that still leaves those organizations scratching their heads, look no further than data discovery and data mapping.
If you’re one of those organizations and still find yourself still struggling to map out what they are, we’re here to help.
Today, VinarcoPDPA answers your critical questions about data mapping and how it can help you achieve frictionless compliance with the PDPA regulations.
What precisely is Data Mapping?
Although they appear to be complicated, both data discovery and data mapping are straight forward concepts.
They both refer to the exercise of taking stock of all the personal data your organization collects and processes, then mapping what happens to it and its journey through your organization and further afield in terms of data transfers.
It’s a process that has proved invaluable for businesses no matter what volume of data id processed, mapping the entire lifecycle of that data from the moment it’s collected to the point of destruction when no longer required.
How to Create a Data Map
In most cases, data mapping’s responsibilities typically fall to your Data Protection Officer (DPO) or other designated person within your data administration team.
Depending on your organization’s circumstances, that person can be either an internal hire or an outsourced data privacy consultant. Dedicated data mapping software is available,
Your data map’s extensiveness will depend on the nature of your business and your data processing activities, but all data maps have several things that they should contain.
- Whose data you collect
- Why you are collecting that data
- What type of data do you collect (email, bank details, address etc.)?
- When you collect the data
- What legal basis you have for processing the data
- Where you store the data
- What conditions are in place to protect the data
- Which, if any, third parties you share that data with and their locations.
- What data protection measures do you implement to protect data during data transfers to third parties?
Why is Data Mapping so Important?
The data map is the foundation of any successful data privacy strategy minimizing the risk of losing one of the three pillars of data privacy, availability, integrity, and confidentiality. Ensuring that you know how all data enters or leaves your organization without being fully accounted for.
Privacy by Design and by Default
The principle of accountability mandates that you take responsibility for handling personal data and comply with the other eight PDPA principles. You must have implemented measures and have records in place to be able to demonstrate your PDPA compliance.
The PDPA requires you to implement appropriate technical and organizational measures to implement data protection principles effectively safeguarding individual data subject rights, commonly known as data protection by design and by default.
Still, require more advice or hands-on support with creating your data map for your business? Talk to the data privacy experts at VinarcoPDPA. Besides serving as your nominated Data Protection Officer, we can assist with your data mapping, ensuring that your business enjoys frictionless compliance with the Thailand PDPA.