Process mapping guide
As part of the preparation of the dataflow analysis, you must identify the processes in the company that involve processing of personal data. The purpose of the exercise is to ensure that processes are identified in the dataflow analysis.
In general, one questionnaire per process is to be completed. In the following, you can read about the characteristics of processes and how these can be pooled, so that you don’t have to complete as many questionnaires as there are processes.
How to identify processes and activitiesFirstly, it is important to establish an overall overview of the departments in the organisation, then the essential processes in each department, and finally the main activitieswithin each process. As an example of how processes and main activities can be identified, we can take our point of departure in an HR department:
First level consists of identifying the departments.
-In this case, Human Resources.
Second level consists of identifying the overall processes in the department
-In this example, the HR department may be using the following processes:
- Recruitment, on-boarding, performance evaluations, talent development,supplementary education/training,sick leave statistics, salary and pension payments, administration of employee benefits, travel booking and reimbursement, termination of employment and resignation, participation in job and career fairs.
Third level consists of identifying the main activities contained in each process.
-The example of on-boardingmayfor example contain the following main activities for the newly signed employee immediately and just after the first day of work:
- Setup in IT systems and user registration, issue of computer and smart phone, introductory courses, photography for the website, issue of access card and parking permit, issue of work clothes and shoes, notification of other employees on the intranet, announcement of new candidate on website and social media, start-up review, lunch registration, information on contact persons in case of emergency etc.
The categories of data subjectswhose data are processed must be described for each process.
-In the example of on-boarding, personal data on these data subjects are processed:
- Employees (the newly appointed employee)
- The contact persons of the new employee (probably close relatives)
- External teachers
- External photographer
Unless the activities are very different from each other, it is sufficient to complete one questionnaire per process (and not per activity). It may even be of advantage to pool several processes in one dataflow analysis, so several processes can be included in the completion of one questionnaire. At the same time, be careful that the questionnaire does not contain too much information rendering the description and later analysis immense and unclear.
Step 1: Establish an overview with DI’s standardtemplate for process identificationAs a start, we recommend that you use [DI’s standard templatefor process mapping].
The standard templatemust be completed with information on each process and the underlying activities. Besides this, you must describe the categories of data subjects and personal data that are contained in each process (not each activity). Finally, you may indicate systems used, special legislation and a contact person for the process.
The completed templatemust then be used as basis for the pooling of processes and planning of interviews.
Step 2: Poolingprocessesand activities for data flowsThere is no key to which processes can be pooled. In general, you should aim topool processes when they meet the majority of the following conditions:
- The categories ofdata subjectswhose personal data are processed are the same.
- The types of personal data processed are reasonably coinciding.
- The IT systems in which the personal data are processed overlap.
- The activities are timewise in continuation of each other and the sub-purposes are harmonious.
- It is the same department and the same contact person for the processes.
Example from the HR department. In this example, several processes and activities can be pooled in one dataflow under the headline: “The ongoing employment”:
Process / Main activities /Categories of data subjects
/Types of personal data
/ Systems and physical archives / Special legislationOn-boarding / E.g. setup in IT systems and user registration, photography, issue of work clothes and shoes / Employees / E.g. identification data, CV, grade transcript, photography, and personality test etc. / The HR system (internal)
Email programme (internal)
Talent development / E.g. conducting talent development meetings, leadership courses and other work-related courses tailored to the individual employee. / Employees
External consultants / E.g. identification data, career development plans, supplementary education etc. / The HR system (internal)
Email programme (internal)
Sick leave etc. / E.g. receipt of notices of sick leave, sick leave interviews, sickness benefit reimbursement etc. / Employees
Sick family members
Contact persons in the municipality / The HR system (internal)
Email programme (internal)
Borger.dk (external) / Consolidation Act on Benefits in the event of Illness or Childbirth
In the same manner, many processes and activities can be pooled in anHR process under the headline “Recruitment and employer branding” and others under the headline “Ongoing employment and termination of employment”.
In this manner, the number of overall dataflows for which questionnaires must be completed isreduced.
1
Standardtemplate for process mapping
Company: [Insert company name]
Department: [Insert department name]
Processcontact person:[Insert name, email address and phone number]
Date:[Insert date for template completion]
Completed by: [Insert name and initials]
Process / Main activities /Categories of data subjects
/Types of personal data
/ Systems and physical archives / Special legislationE.g. Recruitment / E.g. receipt and screening of applications, personality tests, job interviews etc. / Potential employees / E.g. identification data, CV, grade transcript, photography and personality test etc. / HR-system (internal)
Job agent system (internal)
Email programme (internal) / Consolidation Act on the Prohibition of Differences of Treatment in the Labour Market etc.
Act on the Use of Health Data on the Labour Market
1