Extensible Data Processing Taxonomy
The System Report feature within Live Data Map provides you and your team a tool to document your personal data processing activities per each application, tool or service within your System Inventory.
Taxonomy
The Extensible Data Processing Taxonomy (“Taxonomy”) is DataGrail’s classification framework for Systems, data mappings and processing accountability topics needed to generate a RoPA.
Organizations subject to Article 30 of the European Union’s and the United Kingdom’s General Data Protection Regulations (together, “GDPR”) must document and maintain records of their processing activities (RoPA, or processing register).
A RoPA is one of many accountability mechanisms you need to implement to remain in demonstrable compliance with the GDPR. GDPR-inspired laws like California's Consumer Privacy Act (CPPA) and Brazil’s General Data Protection Act (LGPD) have analogous requirements making data mappings and RoPA style overviews indispensable for compliance.
The Taxonomy allows you to document and then take stock of what personal data you have, where it is and what you do with, it in a standardized way. Doing so through broadly applicable categorizations rather than specific field types makes it easier to benchmark your data practices and comply with other aspects of privacy law such as creating a privacy notice or updating a data processing contract.
Where does it live in DataGrail?
Behind the scenes, the Taxonomy informs our understanding of a System – what it is and what it commonly does with personal data. This allows us to pre-populate portions of the System Report for your expedited review.
Within the Inventory System Report itself, the Taxonomy powers the options you see when working with each of the Processing Details sections – it is these options that help you describe your personal data and processing activities in a flexible and consistent way.
To work with the available options, under Live Data Map select Inventory System Reports from the dropdown, navigate to the left-hand menu and click on a listed System.
Then, navigate to a Processing section and click Edit to review, edit or save your selections.
What information is categorized?
Your System Report will have the following Processing Details sections:
- Legal Roles: Labels the system or entity being described in the report with a legal designation such as a Processor. The legal role informs the entity’s responsibilities under applicable privacy law.
-
Processing Countries: Where personal data is being processed, stored, or transferred.
-
Data Subjects: Specific legal definitions vary, but this is a natural person whose personal data is being processed using the system or entity being described. Certain data subjects like Children and Patients are considered vulnerable classes and are important to delineate.
-
Personal Data: Personal Data, also called Personal Information or 'PII' colloquially, is information relating to an identified or identifiable natural person. This includes online identifiers, demographics and psychographics, location information and other details that can be used to single out an individual (or their browser or device.)
-
Processing Purposes: The business, commercial or other lawful reasons for which you need to use the personal data.
-
Personal Data Origins: Describes how personal data is collected, created or otherwise sourced for the system or entity in question.
-
Personal Data Recipients: Also known as data “distribution”, this section refers to personal data being transferred from the system described in the Report to one or more other Systems within your System Inventory.
-
Legal Basis: The lawful grounds used by you to justify your processing activities. (The current options align to the GDPR and CCPA.)
-
Consent Methods: Where consent is a legal basis for processing Consent Methods refers to the means and circumstances through which qualifying consent is received. Consent can be collected directly from the individual or indirectly through other means.
-
Protective Measures: The contractual, organizational or technical measures taken to safeguard personal data.
What can DataGrail help prepopulate?
You can expect DataGrail to pre-populate the following sections for your review and adjustment:
- Data Subjects
- Personal Data
- Purposes
- Recipients
We may be able to pre-populate the following sections but they have particular legal effect and require your review and adjustment. Please seek legal guidance where appropriate.
- Legal Role
- Legal Basis
We may not be able to pre-populate the following sections because they are subjective to your specific practices.
- Personal Data Origins
- Consent Methods
- Protective Measures
Note: In all of these cases DataGrail is providing recommendations and not statements of fact.
What is new?
You will be able to choose from a streamlined set of options for each section within the Report.
Highlight: Personal Data
You will be able to select from a succinct set of general Personal Data Categories and add detail using the more granular Personal Data Elements.
Personal Data Categories cover
- Contact Information
- Employment & Business Information
- Education Information
- Government Identification
- Demographics & Psychographics
- Online & Mobile Data
- Online & Mobile Identifiers
- Security & Diagnostics Data
- Audiovisual & Sensor Data
- Location Information
- Biometric Data
- Genetic Data
- Health & Medical Data
- Payment & Financial Information
You can explore all options using dropdowns and you can search for Elements by keyword.
FAQ
Can I add custom categories to my System Reports?
Yes. You can add your own categorizations as Other or work with your DataGrail team to explore further customizations.
If you used DataGrail before August 2022, refer to this article.
Disclaimer: The information contained in this message does not constitute as legal advice. We would advise seeking professional counsel before acting on or interpreting any material.