Risk Assessment GDPR Data Flow Analysis

In order to fully understand a company's security risks and understand your GDPR Data Mapping requirements, we must first analyze the workflow of the sensitive data.

What is the Data Flow Analysis?

A thorough analysis of how an organization's users are utilizing their sensitive data in rest and in motion in ways that vulnerability scanning tools cannot detect. The purpose of this is to define necessary GDPR required Data Maps and understand boundaries for security responsibilities as well as confirm that data transmission is secure and protected from a compliance perspective.

What are Data Maps?

As part of GDPR compliance, organizations are required to map their data and information flows in order to assess their privacy and to form part of their registration documentation. To effectively map their data, an organization needs to understand the information data flow, and identify its key elements. Learn more about GDPR Data Maps here.

Data Flow Analysis Phases

The Data Flow Analysis phase of the risk assessment is completed in two parts:

  1. Data Flow Questionnaires
    1. Sent to all employees within the organization
    2. Designed to take approximately 10-15 minutes to complete by each team member
  2. Data Flow Interviews
    1. Interviews are conducted with 1-2 resources per department that store or transmit sensitive data discovered in the Questionnaire

Data Flow Process Flow


Client Approvals & List of Users

  1. Client Completes Approval Form
  2. Client Provides List of Users for Data Flow Questionnaire
Internal Client Management Email
  1. Choice provides email template to client management team
  2. Client Management team member sends email all Questionnaire users & alerts Choice team when complete
3-4 Choice Questionnaire Emails
  • Choice will send an initial email to all Questionnaire users provided
  • Choice will send reminder emails to users that have not completed Questionnaire
4-2 List of Interviewees
  • Choice will select users for Interviews based on Questionnaire answers
  • Choice submits the list of interviewees to management team for approval
  • Client Management team approves interviewees list
5-1 Conduct Interviews
  • Choice will reach out to each user to schedule interviews 
  • Choice team will conduct 10-15 minute interviews with each team member
Copy of Copy of Copy of Step 1 Data Review & Analysis
  • Choice team will review all data flow answers and identify GDPR Data Map requirements
  • Compile results in Executive Summary

Client On-boarding Responsibilities

  1. Gather a list of all users
    1. We prefer a spreadsheet with first name, last name, email address & department 
    2. Please be sure to indicate any resources you feel are critical as part of this process
  2. Check Your Email to review and Complete the Choice CyberSecurity Data Flow Questionnaire Approval Form provided
    1. At the end of the questionnaire, you will be prompted to provide a list of participants and their email addresses
  3. Once approved, we will send another email with the Management Email Template and unique form for you to Send Management Team Email to all Questionnaire participants
  4. Alert Choice team when email has been sent to begin our email process approximately 2 business days after your email has been sent

Please DO NOT send the Data Flow Analysis Approval Form to your users. The approval questions at the end will confuse them and it is not designed to collect results from more than one team member.