The GDPR Canvas & how to use it
Building on our experience of consulting technology companies with privacy and GDPR compliance, we are excited to release our GDPR Canvas publicly under a creative commons license.
The GDPR Canvas is inspired by the Business Model Canvas by Alexander Osterwalder of Strategyzer. It was designed by TechGDPR to aid as a tool towards the first steps of GDPR compliance and create a first overview on the main data processing and data protection processes in place. The GDPR Canvas is best used as an early discovery tool for startups and companies with limited amount of processes to create an overall picture of the status, or separately for each (category) of processing activity, e.g. marketing or financial administration.
As opposed to a possibly rather boring data mapping process, using the GDPR Canvas is engaging, motivating and sometimes even a fun way to discover the personal data in use, with as bottom line a quicker and more detailed discovery. The GDPR Canvas can also be seen as a Personal Data Processing Canvas: the key elements of the canvas are certainly not only applicable under the GDPR, but will also provide valuable insight under other privacy laws.
It should by no means be seen as a full solution for GDPR compliance, but rather as a tool to help exploring the first steps. This GDPR Canvas does not replace professional consulting or legal advice.
Download the GDPR Canvas
GDPR Discovery Tool
A completed GDPR Canvas is a great tool for a Data Protection Officer (DPO) or data protection specialist to start a compliance process from. Such a person will typically need to ask follow up questions to understand the nitty-gritty details required for an in-depth assessment. It can also help greatly for implementing privacy by design: by completing a GDPR Canvas you can easily see the data protection problems emerge and understand how your product can be improved to mitigate this.
Before starting on the GDPR Canvas, it is important to define and clarify the scope to the attendees. Are you talking about a whole organization, or about a specific project or department? Also make sure that we are talking about the flow of Personal Data only. Personal data is any data point or collection of data points, that may lead to singling out a natural person.
If used in a group workshop, ensure that everyone has a clear understanding of this. It is recommended to do a brief run through with exercise or clarification before moving forward.
Using the GDPR Canvas in 5 steps
Structured approach to populating the GDPR Canvas
Preparations
If using in a group setting, it is recommended to print out the GDPR Canvas on large size paper (use the GDPR Canvas in A0 PDF file), or project it in large format. Use sticky notes in different colors to add the different activities. Throughout the process you probably want to de-duplicate, sort by priority and link items in different boxes together, which is easy with sticky notes. Make sure all participants have sticky notes available. To collect input from all participants, ask them to work individually and write their result on sticky notes. You can do this for some, or all of the boxes on the GDPR Canvas. Afterwards, discuss the result, de-duplicate and prioritize.
If you are preparing the GDPR Canvas by yourself, print it out on A4 or A3. You can work with pencil directly on the GDPR Canvas, or use small size sticky notes.
Step 1: Defining the main data flow
Start with defining the Data Sources. These are the different sources of data (such as your website, incoming email, a lead generation tool, incoming transfers of data, etc) for your organization, department or project and the goal is to list all of them as a starting point.
After this, explore which Data Categories (e.g. ‘email’, ‘date of birth’, ‘account ID’, etc) are collected through these sources, and write them on sticky notes. Where appropriate, use the same color sticky notes as in data sources to indicate the source of this data.
Lastly, under Data Recipients/Transfers, write down on sticky notes to which organizations data is being transferred. This does not include the organizations you contract to process your data on your behalf (these will be addressed later as Data Processors).
Step 2: Defining the Data Subjects
Define the Data Subjects of whom you are collecting personal data. Data Subjects are always natural persons, and a natural person at a company, for example identified with a personalized company email address, should be considered as such too.
Common categories of Data Subjects include: Customers, Leads, Partners, Applicants (sometimes divided in new, rejected and accepted), Employees, and can, depending on your particular business, include a lot more.
To indicate for which categories of data these are used, colored stickers or different, consistent colors of sticky notes can be used to indicate links throughout the GDPR Canvas.
Step 3: Defining the Data Processing Activities and Data Processors
The Data Processing Activities are the key activities your organization carries out using the data. Making available a website, collecting inquiries, receiving emails or keeping log files are examples of data processing activities.
It is recommended to collect these based on the data flow on top of the GDPR Canvas, and to collect individual input to be combined later, in particular when people of multiple departments are present.
When all Data Processing Activities have been collected, discuss (when in a group setting) where these activities are carried out. If another party, theoretically, could have access to the data, even when it is encrypted, they may be considered a data processor.
Data Processors may be hosting providers, analytics tools, recruitment tools or platforms, partner companies that may do certain tasks with personal data on your behalf and sometimes even service companies. Note that those with their own reasons for processing data, such as accountants and DPO’s are typically not Data Processors, but Data Recipients.
Tag the Data Processors with a sticker of a specific color, with whom a Data Processing Agreement/Addendum has been executed (if known).
Step 4: Defining the Purposes for Data Collection
The Purpose for Data Collection is extremely important under the GDPR. Every processing activity needs to be supported by a specific purpose, and purposes will need to be explained in your privacy policy.
It is important to note that data collected for a specific purpose can not be easily repurposed. It is therefore important to think about all the possible purposes for collecting data and state them, so they can later be evaluated and legitimized.
Step 5: Defining Technical and Organizational Measures (TOMs)
Technical and Organizational Measures are in place to help you mitigate the risk of a data breach. In the following table you find a few examples of measures you may have or want to put in place.
Technical Measures Access control system Regular backups Two-factor authentication Password strength requirements Storing data in multiple availability zones Access logging VPN usage Firewall in place | Organizational Measures IT security policy Doors to server rooms are locked All employees have been bound by secrecy Access is only given on a need-to-have base Using shredders for documents with personal data |
As the same TOMs can apply to multiple data processing activities, and not all of them may apply to every activity, it is recommended to use colored stickers to tag these.
If you are just planning to put certain measures in place, but have not done so yet, it is recommended to tag this accordingly.
GDPR compliance based on the GDPR Canvas
Identifying the next steps
The GDPR Canvas is meant to provide guidance to the first steps of GDPR analysis that can be done by yourself or under the guidance of a privacy professional or facilitator. This significantly reduces the time needed to discover all processing, or to get a first insight in the problems around your data processing activities.
It is also very well suited to be used for a product that is still in the design phase. By analyzing the GDPR impact from the beginning, red flags can be identified and resolved easily, before time, money and energy is spent in product development.
After having completed your GDPR Canvas, the majority of the next steps should best be carried out together with a privacy professional. One thing you can already start looking at is to find out if with every data processor a Data Processing Agreement/Addendum is executed, and collect them in one place for easy analysis.
Some typical next steps include risk analysis, analysis of applicability of sensitive data, analyzing the technical and organizational measures in place and understand if they are appropriate for your situation, drafting a privacy policy and internal IT security policy and other documents required.
TechGDPR offers a free initial call to help you with your particular situation, and can assist with these next steps.
GDPR Canvas – Credits
Editor/Author/Designer: Silvan Jongerius
Reviewers/Contributors: Alex Carroll, Tim Walters, Yulia Smotrova, Magda Grünenwald