An Ocean of GDPR Data Streams

An Ocean of GDPR Data Streams

In a previous post, I wrote about ‘GDPR or Bust!’, in this post I would like to venture deeper into the Ocean of GDPR Data Streams that I perceive which may need to be crossed on route to GDPR Compliance.


Charing The GDPR Course Ahead

Example GDPR Project Activities

Understanding the scope of the commitment, resources, capability, capacity and competency needed to achieve project success is a vital part of setting sail for compliance.  To help get the creative thought process rolling, consider a simple question.  “Where is the ‘Personally Identifiable Data’ found in our organisation”?  As a ‘Systems Thinker’, I think about many things in terms such as Supplier, Input, Process, Output and Customer?  As a ‘Lean Thinker’, I think about things in terms of how can it be visually represented?  So when I’m asked to look at ‘Personal Data’ as it may flow, I can see in minds eye that there are multiple streams of ‘Personal Data’ flowing which includes:

  • Operational Streams
  • Administration Streams
  • Technical Streams
  • The Logistical Supply Chain Streams
  • The Digital Supply Chain Streams

Depending on the glasses you view the world through, these many possible streams can be viewed from many different perspectives including the those of:

  • Data Owners
  • Operational Staff
  • Technical Staff
  • Data Controllers, Processors and Data Protection Officers
  • Compliance Officers/Quality Management Team
  • Administration Staff
  • 3rd Party Suppliers, Vendors and Partners
  • Autonomous Technology, Systems and Automated Devices
  • Legal Experts, Consultants and Subject Matter Experts
  • Users and Customers

While this list is not complete, most data streams flow through these hills and valleys gathering speed and volume as data flows down hill.  As the data flows, it is important also to keep in mind that ‘Personal Data’ can come in many forms such as digital data, audible sound, printable paper, visual images and representations of our unique biometric human characteristics such as finger prints, iris patterns and facial features etc… to name but a few.  When you consider various different data streams meet, mix and blend to suit the landscape they pass through and purpose from which they sprang, it then becomes more and more difficult to separate the streams and their origins when they all come together as a big ocean of data commonly found at the heart of the organisations processing and control.


With this in mind, I’d like to share with you a visual team tool to help teams visualise and question “Where is the ‘Personally Identifiable Data’ found in our organisation”?.  Utilising this tool helps teams to ask many of the right questions about the Suppliers, Inputs, Processes, Outputs and Customers found in an ocean of ‘Personal Data’ and from what data stream can this data be track back to its original source.  It also allows a team to apply the same visual to each and every data stream as it flow forward and again … visualise the data stream from lots of different perspectives as the team uncovers and exposes more and more ‘Personal Data’ streams which flowing in and out of the data systems, processes and controls.


This visual tool can help to trigger many ‘Personal Data ‘ questions, for example:

  • Who are the ‘Personal Data’ ‘Owners’?
  • In what ‘Forms’, frequency and quality do they supply ‘Personal Data’?
  • How, where and when is the ‘Personal Data’ being input into our ‘Control’?
  • What, how and why is additional ‘Data Processing’ carried out, before, during and after the main ‘Purpose’ of processing?
  • How, where, when and for how long is ‘Personal Data’ transported as it flows?
  • How, where, when and for how long is ‘Personal Data’ stored as it flows?
  • What, why, how and when is decision making or profiling is applied as the ‘Personal Data’ flows?
  • What ‘Processes’, priority and ‘Purpose’ will the ‘Personal Data’ be focused on?
  • Who, how, why and when do others needs access to such ‘Personal Data’?
  • What, how, when, where, why and for whom is ‘Personal Data’ being output too?

… the idea is to trigger such questions and then explore answers.


It should also be possible to reverse the process and look up stream to ask more productive questions relating to Data Privacy, Protection and Minimisation by Design, for example questions such as:

  • Does the ‘Customer’ or ‘User’ of such ‘Personal Data’ really need it?
  • Can we track back and trace the source and purpose of such ‘Personal Data’?
  • How can ‘Data Processing’, ‘Storage’, ‘Transfer’, ‘Shared Access’, ‘Input’ and ‘Decision Making’ be better minimized, protected and privatised?

… and so, the process improvement ideas should also begin to flow.


By focusing on a visual and not just a long list of predefined textual questions, system, problem and design thinking is encouraged and can be viewed from multiple dimensions and many different perspectives.  Teams can question, explore and imagine an ocean of GDPR data streams and the flow of ‘Personal Data’ using a single simple visual aid.  When the team has concluded one ‘Data Stream’ they can then move onto the next, and the next, and the next …


Visualising A GDPR Data StreamVisualising GDPR As Data Streams




Comments are Closed