It’s everywhere. From cutting-edge customer relationship management software (CRMs), to legacy silos tucked away in forgotten corners, your organization is swimming in data. And more pours in every day. Much of that data is sensitive: A category of personal data that carries strict compliance duties and significant risks.
You can’t safeguard information or meet your compliance goals if you don't know what data you have, where it lives, and how you’re using it. Whether you’re focused on meeting short-term compliance goals or building an entire privacy program from scratch, here’s what you need to know about data mapping.
What is data mapping?
Data mapping is the process of creating a record of your organization’s data practices. Organizations collect many types of data from different sources and for different purposes. A data map provides a complete record of what data your organization has, where you’re keeping it, how you’re using it, and what processes you have in place for correcting, protecting, and deleting it. Armed with this information, you can more easily meet regulatory compliance goals, control your digital footprint, and limit risk. In addition, you can make better use of data-driven insights.
Take the first step toward compliance.
Why do you need a data map?
Simplify regulatory compliance
Regulatory compliance is essentially impossible without data mapping first. In some cases, data mapping is explicitly required. For example, Article 30 of the General Data Protection Regulation (GDPR) requires data controllers and processors to carry information on:
- Categories of personal data collected.
- Categories of data subjects.
- Countries outside the EU (excluding those given a positive EU adequacy decision) where the data will be stored or processed.
- Recipients who have access to the data.
- Technical and organizational controls used to protect the data.
Even where data maps aren’t explicitly required for compliance, in practice they’re generally necessary. For example, under the California Privacy Rights Act (CPRA), Californians have a right to know what data an organization has about them. They also have the right to correct their data, delete it, or simply access it. Without a data map, you can’t satisfy CPRA’s “right to know” provision, because you can’t confirm you’ve accounted for all the data you store about a person.
Privacy and security
Data mapping enables you to control and monitor data access and ensure sensitive information is correctly tagged and protected. If a breach or data loss occurs, a data map will help you respond quickly. You’ll have an easier time figuring out what data has been affected and you can remediate the breach more quickly.
Data management
Companies continuously amass data to serve the needs of many different stakeholders. Data mapping enables your organization to create a unified strategy to manage all this data. Data maps reduce duplication, reconcile inconsistent records, and indicate what data should face deletion — which means a smarter data minimization strategy. Data mapping also helps you derive more value from the data you collect, ensuring that stakeholders have access to the most relevant information.
Audits
The better your records, the quicker and easier the audit. Data mapping allows you to present auditors with a complete record of your data practices and helps establish that you’ve made a good-faith effort to meet regulatory requirements.
What to include in your data map
Your data map should provide a complete picture of your data practices and lifecycle – from collection to deletion. It should answer all the following questions:
- What is the data source? Data can come from consumer apps, third-party vendors, sales, and many other sources. Your data map should enable you to see which feature or tool pertains to which data processing record.
- What is the source collecting? Your map should break data down into particular types and their associated sources. For example, if you’re a B2B company that provides downloadable assets in exchange for contact information, your map should record every type of data collected in that dataset (e.g. name, employer, business email, job title, etc.).
- What is the rationale for data collection? Personal data is often governed by compliance rules like the CPRA and the GDPR, which require you to disclose why you collect personal data. You can only use the data collected for that purpose. Other types of data, such as market research, can be reused and repurposed freely as long as they don’t contain personal information. Recording the rationale for your data collection will help you comply with regulatory use-restrictions when they’re applicable and also enable you to use data more effectively in general.
- What are your data deletion rules? Do you delete data from a particular set after 30 days? Once it has fulfilled its purpose? Or does it just continue to accumulate indefinitely?
If you’re just starting your data mapping journey, there’s a good chance it’s the latter (at least for a few data sets). Without a data deletion policy, you face increased breach risks and impede compliance efforts. Mapping out your data deletion policies (or lack thereof) is an important step towards implementing better data governance.
- Who has access to the data? Is it only available to certain departments or stakeholders, or is it freely shared throughout your organization? Which partners, vendors, and clients have access to it? Breaking down how access is controlled will help you spot vulnerabilities, protect sensitive data, and comply with CPRA deletion requests (among other regulatory requirements).
- Where is the data? It’s essential yourecord where data is processed, stored, and used. Which country stores the data? Where does the data live at rest? Do you transport the data across borders via the cloud? Once you determine all of that, document it.
- How is the data stored? What format is the data kept in? Is it encrypted or retained in plaintext? Your map should include paper backup databases and temporary data stores. For example, if you’re a medical provider, you may have patients complete paperwork on an electronic tablet and then, later, move that information to a secure database. In that case, your data map should include the initial patient forms and the database the information is sent to.
Automate your data mapping activities.
How to make a data map
Get buy-in from stakeholders
Data mapping isn’t a one-and-done process. New products, updates, and policies can change your data landscape, and those changes need to be reflected in your data map. With the right tools, making future changes is easier. But it does take vigilance.
Recruiting champions who are invested in data mapping can help with initial data mapping and with keeping the map up-to-date. Ideally, you should recruit stakeholders in different departments, such as product and marketing, to ensure you have an evangelist in place anywhere your company is making decisions about data.
Prioritize data sources based on privacy and compliance goals
Start with projects where you have the most to gain from data mapping. For example, if you’re focused on CPRA compliance, you might want to start with a system that collects or stores personal information, such as your CRM or a consumer-facing app. Alternatively, you may decide to focus on protecting valuable business information or partner assets.
Document each feature
We discussed this a bit earlier, but it’s important enough to repeat: Your data map should accurately reflect which types of data are collected by every feature. Having that type of detailed information will make it much easier to track your data practices.
Review data changes at the beginning of projects
Many types of projects and initiatives can affect your data landscape. It could be that you’re updating a feature, releasing a new product, or onboarding a vendor. That’s why project leads should document proposed data practices and share them with their privacy team before hitting “go.”
Your privacy team can then make any necessary tweaks, as well as to update your data map and policies as needed. An accurate data map can help eliminate the need for future remediation, save time and money, and prevent potential bottlenecks in your product development strategy.
How TerraTrue can help
Because structured data runs at the heart of TerraTrue, our privacy-by-design platform automatically generates accurate data maps, records of processing activities (ROPA), and data inventories that align with the European Data Protection Board, the French data protection regulator (CNIL), and the Information Commissioner’s Office’s requirements. As you launch new features or modify existing programs, TerraTrue’s data map automatically evolves to reflect changes in how you handle, process, share, and use data. As your documentation accumulates, TerraTrue will help you spot the details and projects that matter. Our robust filtering tools can help you identify specific launches and optimize your privacy program. If a regulator is to request a copy, TerraTrue quickly pulls all your ROPAs into local spreadsheet files for future reference and records.
