Data Mapping – No. 2

Data Mapping – No. 2

Intro and comments

We have met with the team who will be taking us through the process of becoming GDPR compliant and have made some plans. This week we are sharing those plans and giving you a chance to think about who in your practice will be needed, for how much time and over what duration.  This will be a process rather than a tick box exercise, but you will see a number of key actions points below. Some of these actions will be one-offs and others will need to be maintained at intervals and we will point those out as we go along.

We started the ball rolling by looking at baseline data mapping. “We” are two practices in Hammersmith who are planning to co-locate and eventually merge in new premises. Both practices wanted to go through our GDPR requirements as a single unit, which we think will form a good foundation for us as we start working together. Our two PMs got together for one-half day this week and were taken through how to identify what sort of data we collect, why we collect it and who it is shared with.

Review of action points from the prior session:

No action points today, but this section will be updated in subsequent blogs.

Work covered this week:

A) Interim Fair Processing Notices – please don’t skip this bit!

The GP GDPR resource pack sent to you on the 24th of May contained examples of an A3 poster to be displayed in your surgeries with basic details about sharing for you to show your patients, and also an interim Fair Processing Notice (the same as a Privacy Notice).

Please note these have now all been updated as part of the work undertaken in this blog.  All the details about the latest Fair Processing Notices including A3 posters can be found in the Layered Fair Processing Blog No.10


Action point: Fair Processing Notice

Publish the updated Fair Processing Notice section on your practice website. Make sure the URL which links to CCG sharing websites is the one pertinent to your CCG. Please note that even if you had already uploaded the interim FPN to your website, please repeat this process with the latest document in Blog No.10.

Action point: A3 Poster

Go to Layered Fair Processing Blog No.10 for A3 posters that you can display in your practice.

B) Baseline Data Mapping

All GP practices need to go through a process of identifying the data they hold by building an information asset register as well as mapping the flows of data which come into and out of the practice. Excel-based templates giving examples of this can be found in the GP GDPR guidance pack.  The Information asset register is a spreadsheet called “Electronic Documents” and the other is the “Data flow mapping template”. Don’t open these just yet, because we have populated those examples (see below Output documentation:) which may be a better starting point.

Action point: Information asset register

List all types of electronic data held in the practice, the use, owner, access control etc. By allocating the risk of a breach (1-5) and the likelihood of this occurring (1-5), a combined overall risk >10 can be qualified with mitigations to reduce the risk. If the potential loss of any data identified is mission critical then this should be addressed in a business continuity plan.

Action point: Data flow mapping template

The Data flow maps are broadly divided into data coming into and data leaving the practice. The headers on each document are self-explanatory and include the type of data, the medium, the recipient, the protection, the frequency and volume of the send. On the right side of the table, the purpose and legal basis under GDPR are also recorded. As with the Information Asset register, it is possible to attribute and quantify an overall risk. For those flows associated with a high risk >10 (colour coded amber or red), you should outline any mitigation you have taken to reduce this.

Having been through this process, the purposes of the data (and applied attributes) are likely to be the same for practices offering a standard range of services to NHS patients in NWL.  So you may prefer to use the output documents from our work as your template and I would anticipate that over 90% of the identified types of data and data flows will be the same. The details of where you store data may vary. So too will the type of data, depending on which services you offer. So for example, if you see private patients and manage their data differently from your NHS patients this may need a revised entry. Likewise, if you offer nursing home care, or are doing research projects, or are acting as a hub for out of hours service delivery, these should all be considered as separate lines of data in their own right.  It is possible that we may have missed a category of data which you decide needs to be identified. If this is the case, please let us know on and we will share this information. If you have identified different types of data use and are not sure how to classify this (e.g. the legal purpose) please ask and we will put the answer in the FAQ.

** The assessed risks in the two output documents which we have generated (Information Asset Register and the Data Flow Mapping Register) are specific to our practice and these are judgement decisions which have been taken by our partners. It is the responsibility of each practice to assess and manage their own risks based on their own local circumstances. **

This data mapping information is needed in order to draw up a Fair Processing Notice (the same as a Privacy Notice) which is a task being done centrally for all GP practices across NWL. In addition to the data mapping, the FPN requires input from a Data Protection Impact Assessment (DPIA), which will also be provided centrally and will cover this need for most practices.  If your practice is undertaking research or pilot studies or sharing data in new ways, you are likely to need to do you own DPIAs; we will look at this in more detail in next week’s blog.

The data mapping and registration process show us what data we have, why we use it, the flow of data into and out of our practices and the relative risks in any given situation. In order to “Close the loop” and use this information to good effect, we need to mitigate those identified risks where they are significant and those mitigations should be manifest in our practice policies around data security. So, for example, many of the worst case scenarios relating to data loss should be detailed and addressed in our business continuity plans (more on this in Blog 9).

C) Staff GDPR training

Talk about GDPR at your practice meetings to raise the profile of this subject. Encourage your staff to ask questions and refer them to the FAQ if needed. If there are questions which are not answered by the FAQ you can email requests to the support email: We will talk in a later blog about more specific and practical staff training. However, as an adjunct to this, do consider using an online resource (e.g. Bluestream Academy, there are others) which has a module on GDPR theory which practice staff can go through.

D) Keeping track of progress

Please note that the practice checklists (see below) will be numbered sequentially across all the blogs. When we have finished, it will form a complete list of all the tasks required for your practice to have reached GDPR compliance. This can be revisited and undertaken by practices who wish to follow this process later.

Every time there is a blog update we will email your Practice Manager and your nominated GDPR lead if they are different.

We are keen to identify and help practices who may need more support and so it would be useful for us if you could let us know once a week when you have completed any of the itemised checklists. We can collate this information against your practice and will share it with the CCG whose IT teams or GDPR lead may contact you. This is a request for information which will help us to help you. However, we do not have the resource to follow up those practices who do not send it.

E) Structure and format of this Blog

In the interests of usability we have agreed on a consistent structure for each of the blogs:



 F) Estimated timetable

Resources used

  • GP GDPR resource pack. Please use this on-line document rather than the document sent to you by email, as it will change over time and this one contains the most up-to-date links and resources.
  • FAQ-V2.1
  • Support Email


Output documentation

Learning points

  • There will be a standard structure to the blog, with checklists which practices can go through and share with us.
  • An FPN and a DPIA have been commissioned across NWL and practices will be able to use and point to these when completed. Interim A3 posters and FPNs have been provided which should be displayed in your practices and published on your websites, pointing to your local CCG sharing website.
  • You should build an information asset register and map the flows of data in and out of your practice
  • The mitigation of any significant risks to data which we have identified through data registration and mapping should in due course be reflected in our practice policies, protocols, guidelines and procedures (this will be dealt with in blog 9)
  • Practice Staff can use online training modules to learn about GDPR


Practice checklist

  • To do 01  If you have not already done so please appoint a GDPR lead for your practice and let us know their name and email address by sending this and your practice details to
  • To do 02  Review the email and GP GDPR resource pack sent on 24th May
  • To do 03  Publish the new Fair Processing Notice section on your practice website (with links to your local CCG sharing web site). Please note that even if you had already uploaded the interim FPN to your website, you should repeat this process with the new Fair Processing Notice in Blog 10
  •  To do 04   Display the new A3 Poster in your practice (see Blog 10)
  •  To do 05  Build an information asset register and map the flows of data in and out of your practice
  • To do 06  Consider using an online resource (e.g. Blue Stream Academy, there are others) which has a module on GDPR theory which practice staff can go through
  •  To do 07  Please let us know at intervals how you are progressing on these checklists

Work planned for next session on 28.06.18

  • DPIA assessment and review
  • Check shared data mapping and asset registers
  • Patient rights process review

Comments are closed.