GDPR Learning Hub

Menu
  • Take quizzes
  • Download guides
  • Buy courses
  • Buy Templates
  • Website is under construction

GDPR

Process mapping of personal data processing

In order for employees to have a better understanding of how they process personal data in practice when performing their tasks, it is good to make a process mapping of the personal data processing operations.

Process mapping of personal data processing in groups

Process mapping of personal data processing can be carried out in groups and it is good to appoint a moderator. If a company has several diversions with different tasks, it may be good for each department to carry out its own process mapping. 

List all personal data processing operations and discuss them

Employees start by writing up all the processing of personal data that they perform. Then write the questions they have about each processing, what categories of personal data the processing refers to, what IT support is used, etc. Some of the parts are quite obvious and will not require much discussion. However, other parts may be unclear and require deeper understanding and discussion. The issues that are unclear and may require action then need to be resolved. 

What breaches of the GDPR can lead to an administrative fine?

Include the process in the privacy notice

Companies shall inform data subjects about the processing of their personal data, which is usually done in a privacy notice. It may be useful to include a description of the processes, in order to give the data subjects a better understanding.

In what situations do companies usually process personal data in their daily work?

Below are some examples of common processing of personal data that companies and employees often carry out in their daily work:

  • Use a personal badge to get in and out of the office. 
  • Reading and sorting of emails continuously during the working day.
  • Phone calls with potential customers, partners, employees or the like via the work phone. 
  • Receipt of invoices from suppliers by e-mail, which are then forwarded to the company’s accounting office.
  • Login to the company’s CRM system where personal information about customers is located, such as purchase history and name. 
  • Enters the warehouse where there are valuables and camera surveillance. 
  • Provision of customer service via social media. 
  • Receipt of employees’ sick report via SMS or medical certificate via MMS.
  • Send payslips to employees via encrypted email (alternatively physical mail, if preferred by the employee). 
  • Registration of visitors at reception. 
  • Publication of images from an event on social media and website. 
  • Receipt of job applications by e-mail.
  • Tracking of mileage registered by vocational vehicles, in order to be able to submit data to the tax authority. 
  • Receipt of questions or orders via the contact form on the website. 
  • Publication of customer reviews on the website. 

Several benefits of clear processes

Streamlining the work

Good processes make work for employees more efficient, which means they can spend more time on other things. In many businesses, only the minority of working hours are used to increase customer value. The more the employer streamlines work with things that do not increase customer value, the more time employees can spend on increasing customer value.

What is the definition of anonymised data?

Good aids

Efficient and clear processes can be a good tool for employees. This minimizes, among other things, the risk of employees making mistakes.

Subjektivt integritetskänsliga personuppgifter

Increased creativity

By allowing employees to be part of the process and be able to influence it, it can increase their creativity. In addition, they often have valuable skills and experience, as they work practically with GDPR issues in their daily work.

Analyzing the necessity

Once the process mapping of personal data has been carried out, it is important to analyse whether any of the processing operations are unnecessary. The company shall also not process more personal data than necessary. If the company does not need to process the personal data, they must be deleted or anonymised. 

Analyze opportunities for improvement

When employees make a process mapping of how they process personal data in their work, there are good opportunities to take advantage of the knowledge and improve the processes. Since it is the employees who work with personal data processing on a daily basis, they can have valuable information on how it can be done better. 

Learn more

Benefits of working agile

It can be good to use an agile way of working when it comes to internal GDPR work. In other words, have a long-term vision that the company strives for but to try to achieve it through stages. Once each stage is reached, there are good opportunities for analysis and improvement. Work on internal GDPR compliance often changes over time and therefore it can be problematic if the management does not analyze the work along the way and try to improve it.

Want to learn more?

Read more
Scroll to Top