Back when I was still doing consulting, I did a lot of thinking about how to help my clients become more effective in thinking about privacy. At that time, I was reading a lot of books not only about privacy but about business and entrepreneurship.

The Business Model Canvas was quite popular online at that time and I became interested in coming up with a mental framework for privacy. Sure, I could adapt the Business Model Canvas for privacy but I didn't really see much benefit doing that because I didn't think it was really that useful as a construct for privacy. I wanted to come up with something that would be useful more often for more organizations.

So I came up with I framework I called the Data Lifecycle Mapping Canvas.

A blank canvas

How do you use the canvas? I had this printed on a big tarp. The tarp can stay on a tabletop or it could be hung on a wall. The important thing is that everybody participating in the data lifecycle mapping can see it and the canvas is within reach by at least one of the participants.

At the start of the session, I give away post-it notes where the participants can write the steps of the data lifecycle as data travels across the organization. Note that only one step should be written on one post-it note. This is so the steps can be easily rearranged based on the inputs and comments of the participants during the discussion.

Here is an example of a completed canvas:

(This is only for the purpose of demonstration and the steps depicted may not actually correspond to the processing activities of the Department of Foreign Affairs.)

You may have noticed that each step in the processing corresponds to quadrants designated as: COLLECT, USE, STORE/DISPOSE, and DISCLOSE/TRANSFER. Thus, if the activity is part of the data collection process (e.g., the applicant's photo is taken), the post-it note is attached to the COLLECT quadrant; and if the activity pertains to processing (e.g., the DFA staff encodes the data to the passport system), then the note is attached to the USE quadrant.

Why do I ask participants to do this? Take a look at Sections 19 and 20 of the Data Privacy Act Implementing Rules and Regulations (DPA-IRR). These sections lay out the general principles for each of the data processing activities: collection, processing, retention, and sharing, and these activities correspond to each of the quadrants in the canvas. By overlaying these principles for each quadrant, you come up with a shorthand/reminder of the general principles that you need to comply with for each processing activity.

Here is how the canvas looks like with the applicable general principles:

At a glance, you now have a view of what you need.

Pretty neat, yes?

(This framework is a work in progress. Let me know how I can make it better via the comments below or via email.)