CCPA

What Is Data Mapping?

Kyle Schryver February 18, 2021

The GDPR introduced the formal concept of data mapping in 2018, and since then other privacy regulations have created their own definitions. To many, the concept still remains unclear. What is Data Mapping and why is it important for privacy? Find out below.

Data mapping is a critical component of any company’s privacy program. Data mapping requires knowing what data your organization collects, and how it’s processed. Data mapping is necessary to be compliant with GDPR, CCPA, CPRA, and forthcoming privacy laws. 

For average consumers, expectations around data privacy seem obvious: nobody is allowed to see their data unless they say so. However, for organizations tasked with protecting personal data, data privacy—and data mapping— isn’t always as clear-cut. 

Companies generate mountains of data, and consumer data is only a small piece of it. More to the point, every bit of data isn’t equal. Some bits of information prove more important than others and require protection. Some data is shared, repeated, used, or stored in multiple locations. Different parts of organizations will use the same bits of information in different ways.

The EU’s privacy law, the General Data Protection Regulation (GDPR), directly addresses this in Article 30, stating in part:

  • Each controller and, where applicable, the controller’s representative shall maintain a record of processing activities under its responsibility.
  • Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller.
  • The controller or the processor and, where applicable, the controller’s or the processor’s representative shall make the record available to the supervisory authority on requests

What Is Data Mapping?

Data mapping is discovering what data you collect, where it’s stored, with whom it’s shared, how long it’s retained, and for what purposes it’s used. This requires a formal inventory of data spanning customer registration, systems, fields within the systems, and connections between systems. And of course, to be useful, the data map must be more than a static snapshot of a point in time: it needs to be actively maintained as your organization grows and evolves.

For example, a data map may contain:

  • Source(s) of data ingestion (e.g. a marketing form);
  • What data you are collecting (e.g. name, phone, and email);
  • The purpose of the data (e.g. send relevant communication over email);
  • The handling of the data (e.g. store the information in Oracle Marketing Cloud and sync the consumer to Salesforce);
  • The retention timeline of the data (e.g. if the individual doesn’t purchase after 6 months, delete this information).

A data map provides an overview of all data apps & infrastructure

 

Although a data map can be built in a spreadsheet, it will grow increasingly impractical and untenable for larger organizations. According to Rita Heimes, General Counsel and DPO at the IAPP, “It is quite difficult, for example, to prepare a privacy statement or an internal privacy policy without understanding what data is collected, how it is processed, and with whom it is shared […] Traditional questionnaires, however, include the potential for weak or inaccurate responses, and misunderstanding on the part of those completing the questionnaire who make assumptions and do not or cannot get clarification before submitting their answers.”

Your data map provides an overview of all the data generated in and flowing through your organization. With that overview in hand, you can then understand your obligations under compliance regulations. Just as importantly, with data mapping, you know the sensitive data requiring higher levels of protection.

Data Mapping Challenges

As essential as data mapping is to overall data privacy, it is also one of the biggest challenges in gaining and maintaining privacy compliance.

Too manual and time consuming: While many organizations can manually build their data map through the use of interviews, surveys, and questionnaires, the construction and continuous upkeep is time consuming. Privacy regulations have taken away the luxury of time, but fortunately, software options can streamline the process, making it more accurate and more efficient.

Always evolving: Unfortunately, data maps are not one-and-done. Rather, they require continuous upkeep, and organizations must budget for the necessary software and labor. Human maintenance increases the risk of inaccuracies or oversights — while software can free employees for higher-leverage work.

DataGrail’s privacy portal maps data across the business and provides a view for each system

Data Mapping Best Practices

Your organization can address the challenges present in data mapping through a few best practices. They include:

  • Get leadership buy-in as part of your privacy by design program. If your executives view this work as unimportant, employees will naturally deprioritize it.
  • Carefully consider what personal data requires higher levels of protection. While some of this information is obvious, like data that directly leads to an individual, some of it may be more organization-specific.
  • Integrate data map maintenance into software development processes and ongoing changes driven by functions that interact with an individual (i.e. marketing, e-commerce, and human resources).
  • Invest in a privacy solution that features data mapping at its core

Be Prepared as Laws Change

The GDPR requires documentation of processing and systems; the CCPA requires transparency disclosures for the collection and sharing of personal information. It’s crucial to keep in mind that future regulations will only add to this complexity. In turn, building and maintaining a data map allows your organization to comply and demonstrate compliance with current and new privacy regulations.

To learn more about how data mapping fits into your privacy tech stack, download our Buyer’s Guide for Privacy Management Software.