Building on our experience of consulting technology companies with privacy and GDPR compliance, we are excited to release our GDPR Canvas publicly under a creative commons license.

The GDPR Canvas is inspired by the Business Model Canvas by Alexander Osterwalder of Strategyzer. It was designed by TechGDPR to aid as a tool towards the first steps of GDPR compliance and create a first overview on the main data processing and data protection processes in place. The GDPR Canvas is best used as an early discovery tool for startups and companies with limited amount of processes to create an overall picture of the status, or separately for each (category) of processing activity, e.g. marketing or financial administration.

As opposed to a possibly rather boring data mapping process, using the GDPR Canvas is engaging, motivating and sometimes even a fun way to discover the personal data in use, with as bottom line a quicker and more detailed discovery. The GDPR Canvas can also be seen as a Personal Data Processing Canvas: the key elements of the canvas are certainly not only applicable under the GDPR, but will also provide valuable insight under other privacy laws.

It should by no means be seen as a full solution for GDPR compliance, but rather as a tool to help exploring the first steps. This GDPR Canvas does not replace professional consulting or legal advice.

Download the GDPR Canvas

A4 size (297x210mm, PDF) | A0 Size (1189x841mm, PDF)

GDPR Discovery Tool

A completed GDPR Canvas is a great tool for a Data Protection Officer (DPO) or data protection specialist to start a compliance process from. Such a person will typically need to ask follow up questions to understand the nitty-gritty details required for an in-depth assessment. It can also help greatly for implementing privacy by design: by completing a GDPR Canvas you can easily see the data protection problems emerge and understand how your product can be improved to mitigate this.

Before starting on the GDPR Canvas, it is important to define and clarify the scope to the attendees. Are you talking about a whole organization, or about a specific project or department? Also make sure that we are talking about the flow of Personal Data only. Personal data is any data point or collection of data points, that may lead to singling out a natural person.

If used in a group workshop, ensure that everyone has a clear understanding of this. It is recommended to do a brief run through with exercise or clarification before moving forward.

Using the GDPR Canvas in 5 steps

Structured approach to populating the GDPR Canvas

Preparations

If using in a group setting, it is recommended to print out the GDPR Canvas on large size paper (use the GDPR Canvas in A0 PDF file), or project it in large format. Use sticky notes in different colors to add the different activities. Throughout the process you probably want to de-duplicate, sort by priority and link items in different boxes together, which is easy with sticky notes. Make sure all participants have sticky notes available. To collect input from all participants, ask them to work individually and write their result on sticky notes. You can do this for some, or all of the boxes on the GDPR Canvas. Afterwards, discuss the result, de-duplicate and prioritize.

If you are preparing the GDPR Canvas by yourself, print it out on A4 or A3. You can work with pencil directly on the GDPR Canvas, or use small size sticky notes.

Step 1: Defining the main data flow

Start with defining the Data Sources. These are the different sources of data (such as your website, incoming email, a lead generation tool, incoming transfers of data, etc) for your organization, department or project and the goal is to list all of them as a starting point.

After this, explore which Data Categories (e.g. ‘email’, ‘date of birth’, ‘account ID’, etc) are collected through these sources, and write them on sticky notes. Where appropriate, use the same color sticky notes as in data sources to indicate the source of this data.

Lastly, under Data Recipients/Transfers, write down on sticky notes to which organizations data is being transferred. This does not include the organizations you contract to process your data on your behalf (these will be addressed later as Data Processors).

Step 2: Defining the Data Subjects

Define the Data Subjects of whom you are collecting personal data. Data Subjects are always natural persons, and a natural person at a company, for example identified with a personalized company email address, should be considered as such too.

Common categories of Data Subjects include: Customers, Leads, Partners, Applicants (sometimes divided in new, rejected and accepted), Employees, and can, depending on your particular business, include a lot more.

To indicate for which categories of data these are used, colored stickers or different, consistent colors of sticky notes can be used to indicate links throughout the GDPR Canvas.

Step 3: Defining the Data Processing Activities and Data Processors

The Data Processing Activities are the key activities your organization carries out using the data. Making available a website, collecting inquiries, receiving emails or keeping log files are examples of data processing activities.

It is recommended to collect these based on the data flow on top of the GDPR Canvas, and to collect individual input to be combined later, in particular when people of multiple departments are present.

When all Data Processing Activities have been collected, discuss (when in a group setting)  where these activities are carried out. If another party, theoretically, could have access to the data, even when it is encrypted, they may be considered a data processor.

Data Processors may be hosting providers, analytics tools, recruitment tools or platforms, partner companies that may do certain tasks with personal data on your behalf and sometimes even service companies. Note that those with their own reasons for processing data, such as accountants and DPO’s are typically not Data Processors, but Data Recipients.

Tag the Data Processors with a sticker of a specific color, with whom a Data Processing Agreement/Addendum has been executed (if known).

Step 4: Defining the Purposes for Data Collection

The Purpose for Data Collection is extremely important under the GDPR. Every processing activity needs to be supported by a specific purpose, and purposes will need to be explained in your privacy policy.

It is important to note that data collected for a specific purpose can not be easily repurposed. It is therefore important to think about all the possible purposes for collecting data and state them, so they can later be evaluated and legitimized.

Step 5: Defining Technical and Organizational Measures (TOMs)

Technical and Organizational Measures are in place to help you mitigate the risk of a data breach. In the following table you find a few examples of measures you may have or want to put in place.

As the same TOMs can apply to multiple data processing activities, and not all of them may apply to every activity, it is recommended to use colored stickers to tag these.

If you are just planning to put certain measures in place, but have not done so yet, it is recommended to tag this accordingly.

GDPR compliance based on the GDPR Canvas

Identifying the next steps

The GDPR Canvas is meant to provide guidance to the first steps of GDPR analysis that can be done by yourself or under the guidance of a privacy professional or facilitator. This significantly reduces the time needed to discover all processing, or to get a first insight in the problems around your data processing activities.

It is also very well suited to be used for a product that is still in the design phase. By analyzing the GDPR impact from the beginning, red flags can be identified and resolved easily, before time, money and energy is spent in product development.

After having completed your GDPR Canvas, the majority of the next steps should best be carried out together with a privacy professional. One thing you can already start looking at is to find out if with every data processor a Data Processing Agreement/Addendum is executed, and collect them in one place for easy analysis.

Some typical next steps include risk analysis, analysis of applicability of sensitive data, analyzing the technical and organizational measures in place and understand if they are appropriate for your situation, drafting a privacy policy and internal IT security policy and other documents required.

TechGDPR offers a free initial call to help you with your particular situation, and can assist with these next steps.

GDPR Canvas – Credits

Editor/Author/Designer: Silvan Jongerius
Reviewers/Contributors: Alex Carroll, Tim Walters, Yulia Smotrova, Magda Grünenwald

The post The GDPR Canvas appeared first on TechGDPR.

This open workshop, based on the GDPR Canvas was ran by Silvan Jongerius and Alex Carroll of TechGDPR. It provided a starting point for understanding data flows which are required as a first step to understand more about your GDPR compliance and define the purposes, means and other key properties that you will need to make known to your data subjects.

The GDPR and the GDPR Canvas

The GDPR came into force almost a year ago and has enhanced awareness about the data we process of others and the measures needed to protect that data. This was clear from the questions participants raised during the session. Protecting our own data is, for most of us a difficult task. But what about protecting data that does not belong to us?

The GDPR Canvas is a methodology developed by TechGDPR, made available for free under a creative commons license, and helps the discovery of one’s processing activities. Participants can visualise what key pieces of information are needed to identify problems, assess the data processing risks and start writing their privacy policy.

The GDPR Canvas Workshop

After an introduction about the key element of the GDPR, participants were guided through exploring their own data processing activities using the GDPR Canvas.

Going through this structured approach encouraged participants to develop a high-level overview of how data are treated within their own company or organisation and make a solid starting point for the compliance of their startup, department, product or even future product.

Participants were asked to define the main data flow, data subjects, data processing activities and data processor, and purposes of data collection. They also had to think about Technical and Organisational Measures (TOMs) in place to mitigate the risk of a data breach. Those who took part in the workshop showed a solid interest in gaining insight on how they might avoid pitfalls and start or improve their GDPR compliance. Attendants sentiment revealed that this workshop was really valuable as we had an enthusiastic and interesting team with participants coming from very different backgrounds, private or public sectors, freelancers as well as employees of larger companies.

After sharing their observations and taking part in the discussion of other cases, one participant mentioned, “It was also good to hear other people’s experience” and “the interactive format allows attendees to think through their specific issues but also to hear about issues other were facing and they possibly may need to address”. 

As last part of the GDPR Canvas workshop, Alex of TechGDPR guided the participants through the risk-based approach of data protection and information security. Giving some first pointers on how to treat risk by identifying, evaluating, and prioritising their efforts on data security. After assessing their own company risks, participants were also given some foo for thought about practical solutions to secure their data, and some ideas on how to continue the work on GDPR compliance after the GDPR Canvas workshop.

The post Our first open GDPR Canvas workshop appeared first on TechGDPR.