The POPI Act requires organisations to identify the processing of personal information in their possession or under their control and keep track of the processing, the locations, sharing, storage, and destruction. Data flow analysis is a popular technique that is embedded in the POPIA platform for this purpose. Predefined templates and data flows are provided to assist organisations map their processing of personal information.
Data flow maps should be one of the first artefacts an organisation produces in preparation for POPIA. This structured approach to data flow analysis will ensure all personal information being processed is discovered and included in the planning for the protection of personal information. Combined with a clearly defined lawful purpose, the data flow analysis considers whether the processing of personal information is adequate, relevant and not excessive. Data minimisation is an important condition for the lawful processing of personal information. Data subjects can object if they believe the processing of their personal information does not fulfil this condition. In order to object, data subjects may request information about the processing of their personal information. Consequently, data flow maps are an import record that must be established and made available to data subjects.
The POPIA platform provides a register of data flow maps, templates, and samples.