What is a Data Flow Diagram? Privacy and Compliance

January 02, 2023 | 4 minutes read

As businesses continue to collect the personal information of consumers on a global scale, these organizations must uncover new ways to protect this data, be it to maintain compliance with a privacy law such as the EU’s General Data Protection Regulation (GDPR) or to build trust with their respective customers, among other things. With this being the case, one mechanism that businesses can use to more effectively understand the trove of information they collect from their customers is a data flow diagram. To this point, “Data flow maps are a recognized method of tracing the flow of data through a process or physically through a network.”

To illustrate the functionality of a data flow diagram, consider a retail clothing store that processes multiple credit card transactions on a daily basis. Under the provisions of the PCI Data Security Standard (PCI-DSS) in 2006, businesses that handle such transactions are required to protect the financial information of their customers, as well as document all transactions that they conduct over the course of a given fiscal year. Subsequently, this business in question could use a data flow diagram to show the origin of the data, the location in which transactions were processed, and the location in which the data was stored, in addition to other pertinent information.

What kind of data is included in a data flow diagram?

At a baseline level, a data flow diagram should depict where the numerous devices that a business uses to collect and process personal data are located on a particular network, as well as how these networks are connected to the physical locations that a specific business or organization maintains. To this end, some examples of items and devices that should be included within a data flow diagram include but are not limited to the following:

Security gateways for HTTP and emails.
Routers and switches.
Firewalls.
File and database servers.
Storage area networks.
Endpoints such as mobile devices and laptops.
Databases that contain personal information.
Network demarcation points.
Remote access points.

General rules for data flow diagrams

First popularized by computing pioneers Ed Yourdon and Larry Constantine during the late 1970s in a book titled Structured Design, data flow diagrams were based on the “data flow graph” computation models by David Martin and Gerald Estrin.” As this model gained popularity within the field of software engineering, Yourdon and Constantine applied the same principles to personal data management. Likewise, data flow diagrams are typically governed by the following four rules:

Each process within the diagram should have at least one input and one output.
Each data store within the diagram should have at least one data flow in, as well as one data flow out.
All data that is stored within the system should go through some form of process.
All processes that take place within the diagram should go through another process or data store.

Furthermore, in addition to the devices that a business uses to process personal data, as well as the rules that will govern the process flow, data flow diagrams will also contain the following four symbols that will serve to facilitate the process flow:

External entities- An outside system or entity that sends or receives information. This system will then communicate with the system that is being diagrammed.
Processes- Any process that changes the data and produces an output as a result of the process i.e. paying for an article of clothing.
Data stores- Files or repositories that hold the personal information of a business or organization for later use. These files and repositories will all have basic labels such as “order”, “return”, etc.
Data flow- The route that the data takes through the external entities, processes, and data stores that are contained within the data flow diagram.

What are the benefits of a data flow diagram?

Most notably, data flow diagrams are one of the most effective ways to maintain compliance with privacy rules and regulations such as GDPR and PCI-DSS compliance, as these regulations require businesses to prove that they are handling the personal information of their customers in a safe and secure manner at all times. In staying with the example of a retail clothing store, customers will be less likely to shop with a brand that is regularly impacted by data breaches. However, data flow diagrams can also help businesses gain a better understanding of the desires and needs of their customers, as the process can also be a valuable tool for understanding customer insights.

Data flow diagrams offer businesses of all scopes and sizes the opportunity to track the personal data of their customers in a more efficient manner, as this data will only continue to grow as more and more transactions are performed. In this way, these diagrams are also one of the foremost ways in which the everyday consumer can ensure that their personal information is both accounted for and protected, as such information could easily be used for nefarious purposes if it were to fall into the wrong hands. For this reason, data flow diagrams will continue to be an advantageous mechanism for businesses in years to come.