Information Flow Modelling for EU GDPR


On the 25th May 2018, the European Union General Data Protection Regulation (EU GDPR), designed to protect citizens’ data, will become law. The intended outcomes of the regulation are to ensure that organisations are including “privacy by design” in their security strategies and make them more accountable to their customers. Ignorance is no longer a defence.

The process is generally accepted to start with a compliance audit, which of course means that you need to know how the regulation applies to you and what it means to be compliant. Much of the available advice suggests that a data audit is seen as a principle step towards the compliance goal. It’s important that you get started as without that proof, the local Data Protection Agency (DPA), responsible for enforcing GDPR, has the ability to fine between 2% and 4% of a company’s annual turnover, or up to 20 million Euros, whichever number is the larger, depending on the sensitivity of the data being breached.

Data protection gavel

It is quite likely that a few high profile examples will be made in the early days, to hammer home the point that an inability to react to a breach is no longer acceptable. With those levels of fine, there is every chance that some businesses will be impacted to the point of collapse, either due to the financial impact, but more likely the reputational impact.

So the data audit is pivotal to the compliance journey. But how do you start that? Advice available online suggests tools such as Microsoft Visio are the best way of doing this. In addition, we see advice on using Post-It notes on the wall captured using photographs, then digitised into documents and forms, building Excel spreadsheets, or investing in a compliance tool and hacking it to meet the data audit needs.

Data Flow Tools

The time required to undertake an information flow modelling exercise is not insignificant.

Back in the day, connecting the purpose for which data is used in an organisation to the business outcome it delivers, was a challenging exercise involving many hours pouring over handwritten notes and photographs of whiteboard drawings. Converting that content into shareable material using the Office suite took at least 5 times as long as the creation of the source content. Hoping that someone would read it and understand it was always the primary emotion at the end of the exercise.

If you approach your GDPR information flow modelling exercise this way, you’re going to be relying on individuals within your business to accurately interpret the results to answer the questions you will be asked as part of your compliance assessment and hoping that the DPA interprets your content the same way. Given the cost of the exercise, achieving a better, more valuable outcome will be on the minds of business leaders. Having 100% confidence in your ability to prove your knowledge of the Personally Identifiable Information captured, helps everyone sleep better at night.

LINQ enables organisations to model information flow and gain insight from this new view of their business. Our platform has been designed to reduce the time from capture to insight through a methodology which enables trans-organisational understanding through simple communication. Modelling information flow puts a value on the information assets which drive your business, and by understanding the purpose for which data is created, consumed and stored you connect the reason for data to the outcome enabled by the data, based on value. By identifying people involved through the information flow, insights specific to the questions asked of you by the GDPR can be addressed;

  • What was the purpose for which information was captured?
  • Who captured what information?
  • Who is accountable for what information?
  • Who provided what information?
  • Where in the world is that information stored?
  • Who has access to that information?
  • How is that information being used?
  • Which systems store personal information?
  • What are that data hand-off points; are they internal or external?
  • When is a trust boundary crossed?

LINQ sketches and dashboards, combined with a connection to Power BI provide all of the tools necessary to undertake your information flow modelling and use the result to drive your GDPR response and on-going compliance. In addition, all of the benefits of LINQ become accessible to your business; improved knowledge about how you operate today based on the value of the information assets that deliver your business outcomes, a mechanism to drive a consistent approach to internal investment and the ability to communicate with decision makers in a way they understand.

GDPR dashboard

GDPR may be the stick causing you to have to undertake this additional work but that doesn’t mean that the exercise has to deliver one outcome in a way that cannot be re-used for other benefits. Our team is ready to get your started on your GDPR information flow modelling exercise, so, if you’re interested in getting your compliance sorted in the most beneficial way possible, create your account below and start your journey today.