Data mapping under the General Data Protection Regulation (GDPR)

Under Article 30 of the GDPR, data controllers and processors are required to keep Records of Processing Activities (RoPAs), including the purpose, description of the data subjects’ categories, whether personal data was transferred to a third party and details of any appropriate data safeguards in place.

HewardMills supports its clients with data mapping and keeping RoPAs. Organisations with 250 or more employees must document all their processing activities, while those that employ fewer than 250 people, need only to document processing activities that:

• Are not occasional (eg, are more than just a one-off occurrence or something you do rarely);
• Are likely to result in a risk to the rights and freedoms of individuals (eg, something that might be intrusive or adversely affect individuals); or
• Involve special category data or criminal conviction and offence data (as defined by Articles 9 and 10 of GDPR).

HewardMills helps its clients to comply with data protection regulations, including: the GDPR, ePrivacy Directive, local legislation (for multijurisdictional organisations), cybersecurity laws, as well as legal and regulatory requirements arising from emerging technologies such as blockchain.

We are a multidisciplinary team of data protection practitioners, lawyers, corporate governance and cybersecurity experts, with a wealth of knowledge delivering data protection excellence and trust to your organisation.

If you would like to learn more about how HewardMills helps organisations handle and process data safely, securely and responsibly in line with international policies and regulations, please get in touch via telephone (+44 20 4540 5853 or +353 1669 4642) or email dpo@hewardmills.com today.