Chapter 4: Information Management and Privacy Risk Management
Data Flow Mapping - Top-Down and Bottom-Up
After inventory and classification, data flows are mapped and documented (what, where, and why data is processed). The top-down approach used for regulatory purposes often starts with the GDPR-required RoPA; the bottom-up approach builds from data assets through to data lineage.
Once inventoried and classified, data flows are examined and documented. Mapping answers: what data is processed, where, and why. There are two common approaches.
| Approach | Description |
|---|---|
| Top-down | Typically used for regulatory purposes; often starts with the GDPR-required record of processing activities (RoPA) documenting purpose, recipients, retention, and safeguards |
| Bottom-up | Insightful for privacy pros; steps: understand data assets, inventory and classification, delineate data processes (can use RoPA), then document data lineage |
RoPA can be hard to validate and keep current, so many organizations automate it with technology. Data lineage adds metadata identifying the original source of data, the most critical data, and how data sets are built and aggregated.
Key terms - quick answers
What is “Data flow mapping”?
Documenting the systems, applications, and processes that handle data - what, where, and why data is processed.
What is “Record of processing activities (RoPA)”?
GDPR-required documentation of processing purposes, recipients of PI, retention periods, and safeguards; often used to start a top-down data map.
What is “Data lineage”?
Metadata added to a map identifying the original source of data, the most critical data, and how data sets are built and aggregated.