Data Maps: What Is It And The Best Techniques and Tools
December 17, 2021
Since the inception of GDPR, millions of companies around the globe are racing to implement data privacy programs to demonstrate compliance to regulators, and keep up with the on-going demand of privacy requirements from their customers.
Consumers and laws are demanding companies understand how personal data is handled, and where it might exist. An up-to-date data map is vital for compliance with the new wave of privacy laws such as GDPR in Europe, or CCPA in the United States.
In order to get a holistic view of where to start and what’s required, organizations must understand what aspects of their organization may have privacy requirements, or need addressing. Depending on the company, there could be few or many areas that will need coverage when operating your privacy program. The data map helps establish what these areas and requirements are.
The starting point for many privacy programs around the globe is beginning to document your personal data across your organization. This can be extremely challenging if you are taking on this task while your business has been operating for several years. In this article, we cover exactly how to kick off this process.
What is a data map?
There are a few terms that industry folks might refer to when referencing data mapping including data flow, Records of Processing, GDPR Article 30, data inventory, or CCPA personally identifiable information disclosure. These terms are interchangeable, and the concept is the same: a thorough understanding or documentation of how your company processes personal data, and how it flows in or out of your organization.
A good way to think of your data map is the who, why, and what around your data processing. In a nutshell, the data mapping process and documentation uncovers some important questions for your privacy program:
- What personal data does my company collect?
- How long does my company retain this data for, and how do we delete it?
- Why does my company collect and process this data?
- How does my company process this data?
- Where does this data come from?
- If digital, what business system hosts this data?
- Where does this data geographically reside?
- Who do we share this data with?
The objective of your data mapping documentation is to provide a high-level overview of every piece of personal data in your business databases. Although the idea of data mapping seems obvious, building one can be daunting, cumbersome, and complex. Companies add new departments as they grow, and often we see silos created across the organization, making recording different 3rd party systems and vendors very difficult to manage, and governance becomes a nightmare.
Can you just do this later and as you go? Absolutely not. Especially if you do business in jurisdictions like Europe or California. If you don’t know what personal data exists, and where - demonstrating compliance is impossible since you won’t know where to start if you have a data breach or a data subject request due in a few days before it’s in violation.
Why do you need a data map?
Data continues to become more essential as companies modernize and scale up. Your company will continue to lean on data more and more to drive business decisions and increase revenue. Concurrently, more and more data privacy legislation is being introduced around the globe making compliance more complex. At the base of each legislation, your data map will be a tool to help you map what your compliance requirements are.
Compliance
The data map is often the starting point for privacy program kick-offs, and often cost of compliance is used as the key driver. The cost of compliance could be hefty. Since the inception of Europe’s GDPR, we’ve seen over $300M in fines issued from European countries to businesses worldwide. These fines are not looking to slow down anytime soon, and will continue to accelerate as new regulations roll out.
Increased Revenue, Shorter Sales Cycles
A recent survey from Cisco shows that 74% of consumers won’t purchase products that don’t adhere to consumer privacy. Businesses that have privacy compliance and programs already, are seeing as much as a 90% drop in their B2B sales cycle duration.
When winning over B2B vendor deals, or trying to win over customers - having a data map becomes important, so you can have context on your businesses data processing to help with vendor questionnaires, policy notices, and contract development.
Brand Trust
75% of shoppers will prioritize brand trust over price when purchasing a product. Providing privacy assurances and disclosing them to your customers will help your customers understand that their personal data is respected at all times.
What does a data map look like?
A data map should contain (at minimum) some high level information about personal data and how your business processes it. It’s not the exhaustive list of detail you might need to account for, but it’s a great starting point for your first data map to comply with laws such as GDPR or CCPA. This document is often produced as a spreadsheet.
Book a demo today
Get a free, no-pressure demo of our software.
If you don’t want to create your own, you can use our template that can be exported from our Automated Data Mapping tool.
If you’d like to know how to do this in an automated way, reach out to us for a demonstration of our Automated Data Mapping tool.
Name of business function processing the data | A reference to the team within your company that will be using the data e.g. marketing, sales, HR, engineering etc. |
Purpose of processing | A justification for collecting the data in the first place, what is being done with the data or the legal basis for processing it. |
Name and contact details of joint controller | If your company is deciding the purpose for the collection of personally identifiable information, you are classified by GDPR as the ‘controller’. If your company is processing data on behalf of another organization then you are classified as the ‘processor’. It is most likely that your company acts as both controller and processor, but you may use other third-party processors too. The best approach for the purposes of compliance is to record the contact details of your Data Protection Officer within your company. This person will be the go to point of contact for the data that is being recorded in your data map and there may be multiple or joint controllers across your organization who are responsible for different data categories |
Categories of personal data | The category that the data that you are collecting falls into e.g. personal identification data, location data, health data, financial data, etc. |
Types of personal data | The exact type of data that is being processed. e.g. name, address, email, phone number, etc. |
Categories of recipients | This is a reference to the person or organization that will be processing the personally identifiable information e.g. your company’s customer support team, marketing team, financial controller, third party SaaS provider, etc. |
Link to contract with processor | If the processor is internal, this can be a link to your employee guidelines on the handling of personal identifiable information. If the processor is external, this should be a link to the agreed contract – known as the Data Processing Agreement (DPA) – with that third party. The DPA contains their obligations in regard to the protection of any personally identifiable information they are processing on your company’s behalf. |
Data format | The format of the data stored by your company i.e. digital or hardcopy. |
The source of the personally identifiable information | How and where you are collecting any personally identifiable information from e.g. website, social media, email, telephone, paper-based forms, in-store etc. |
Method of data transfer | The places where that data are transferred to and from e.g. physical records in-store or in the office, email, internal documentation, internal software, instant messenger, third party software, third party communication, etc. |
Location of personal data | The digital locations of data storage e.g. database, email, instant messenger, internal documentation, etc. |
Retention schedule | The length of time a company stores personally identifiable information for before it is erased. Is your company storing personally identifiable information on a permanent or semi-permanent basis? Ideally, data should be kept for no longer than is necessary for the purposes for which it is being processed in line with GDPR’s recommendation on data minimization. |
General description of technical and organizational security measures | A description of the measures in place that your company uses to protect PII from unauthorized access e.g. encrypted storage, access controls, password-protected, locked filing cabinets, clear desk policy, etc. |
Book a demo today
Get a free, no-pressure demo of our software.
How do I kick-off the data mapping process?
This process can look different depending on the size, culture, and other factors affecting each business. Below is a suggested list of high-level steps to kick-off the process operationally.
- Find a DPO / CPO
The first step is to identify the individual who will maintain your company’s data map to help ensure compliance with the applicable privacy laws for your business. Your company may have appointed one already, but typically we see someone with a legal or technical background take on this role part-time at small-medium businesses. The larger your company grows, the more demand there will be for a dedicated resource in this position. Article 37 of the GDPR has a great overview of what’s required by a Data Protection Officer or Chief Privacy Officer. - Understand where and what data exists
This is when the fun starts. At a small organization with 5 or fewer systems that hold personal data - this is a lot easier. We suggest going through your finances or reaching out to whomever is in charge of implementing IT systems to find out what systems or places you might hold personal data.
As your company grows, and you begin to scale out your departments, you’re going to want to follow steps 3 - 5. - Prioritize & determine key points-of-contact
We suggest starting with an organizational map. Create a list noting down all the heads of departments or functions across your organization, their role, department, and contact information.
Look through this list and come up with a hypothesis of which departments would collect the most amount of personal data. Typically, we see engineering, marketing, and sales departments with the highest volume of processing personal data, but this might be different for your organization.
Organize your list from top to bottom, with what you think is the highest processing volume, to the lowest.
Once you have this list, we suggest reaching out to the heads of these departments to start socializing your privacy program and sharing context. The sooner you can get buy-in, the better! We don’t go deep into getting buy-in or stakeholder alignment in this article, as this is a topic of its own. - Manual surveys & questionnaires
You’re now ready to kick off your privacy program, and we find it’s easiest to discover what information exists by sending out a survey or questionnaire to each department to find out what data systems they might have, what processes collect data, and understand why they collect it.
These questionnaires are often 10 - 20 questions long, and we find the simpler the questions, the better. Here are some great high-level questions to answer on your questionnaire:
- What are the different data types you collect?
- Why are you collecting / processing this data?
- Do you receive explicit permission to process this data?
- What other teams and functions have access to this data?
- How long do you retain this data?
- What is the reason for retaining this data for this period of time?
- Where does the data exist? - Automated tools
Does all of this seem too manual? You’re right - it is. And the challenge is that this is a recurring process and can cost your organization hundreds of thousands of dollars each year to maintain.
After a while, you’ll notice teams fall out of process, and don’t submit questionnaires as it’s a burden to their process. Companies want to move fast, implementing new tools to kick-off campaigns, or ship that new product feature quickly, so they will just skip the privacy process. Before you know it, there will be shadow systems across your business, and you won’t even know it.
This is when an automation tool comes in.
What if each time a system was added to your network, you received an alert, and could automatically invite those key points-of-contact to help answer questions needed for your data map? Imagine the automation tool detected the different systems as they were on-boarded, and connected to these different systems to see what data exists? This would allow you to move from a reactive process to a proactive process, and make developing your data map a breeze.
That’s where a tool like Opsware comes in. Solutions like Opsware help organizations reduce overhead, minimize their compliance risk, and increase efficiency. Especially so for organizations who don’t have the luxury of a dedicated Data Protection Officer or Chief Privacy Officer. This makes demonstrating compliance dead simple. With our solution, you can produce a real-time data map in just a single click.
For organizations with a dedicated Data Protection Officer or Chief Privacy Officer, automation tools allow them to focus on other privacy initiatives such as keeping their data secure, awareness training, conducting audits, and enforcing other key policies.
Book a demo today
Get a free, no-pressure demo of our software.
Maintaining Your Data Map
The data map document and process is typically best when it’s shared and collaborative across your organization. As you can imagine, maintaining this data map becomes very challenging as your business grows, and often turns into a reactive process, instead of proactive. As mentioned in this article, implementing a process where team members fill out a quick questionnaire when building out a new company process, or software feature is one way to stay ahead of data mapping.
It’s important to have your assigned Data Protection Officer (or Chief Privacy Officer) maintain and own this document. Opsware offers a great tool to help kick off this data mapping process and aspects of automation that remove the burden from you and your teams.
We hope this article has been helpful in helping you kick off your company’s data map, and sharing some context on a few of the many things that could be required.
Peter Barbosa
PRIVACY