Editor’s Note: This post was originally published in February 2021 and has been updated since for comprehensiveness and to reflect the latest information in privacy.
The GDPR introduced the formal concept of data mapping in 2018, and since then other privacy regulations have created their own definitions. To many, the concept still remains unclear. What is Data Mapping and why is it important for privacy? Find out below.
Data mapping is a critical component of any company’s privacy program. Data mapping requires knowing what data your organization collects, and how it’s processed. Database mapping is necessary to be compliant with GDPR, CCPA, CPRA, and forthcoming privacy laws.
For average consumers, expectations around data privacy seem obvious: nobody is allowed to see their data unless they say so. However, for organizations tasked with protecting personal data, data privacy—and data mapping— isn’t always as clear-cut.
How is Data Privacy Managed?
Companies generate mountains of data, and customer data is only a small piece of it. More to the point, every bit of data isn’t equal. Some bits of information prove more important than others and require protection. Some data is shared, repeated, used, or stored in multiple locations. Different parts of organizations will use the same bits of information in different ways.
The EU’s privacy law, the General Data Protection Regulation (GDPR), directly addresses this in Article 30, stating in part:
- Each controller and, where applicable, the controller’s representative shall maintain a record of data processing activities under its responsibility.
- Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of data processing activities carried out on behalf of a controller.
- The controller or the processor and, where applicable, the controller’s or the processor’s representative shall make the record available to the supervisory authority on requests
What Is Data Mapping?
Data mapping is a critical component of any company’s privacy program. Data mapping requires knowing what data your organization collects, and how it’s processed. It is the first stage of data management, including data integration and data migration. Data mapping is necessary to comply with GDPR, CCPA, VCDPA, CPRA, and forthcoming privacy laws.
A robust data map will include what data you collect, where it’s stored, with whom it’s shared, how long it’s retained, and for what purposes it’s used. And of course, to be useful, the data map must be more than a static snapshot of a point in time: it needs to be actively maintained as your organization grows and evolves.
For example, a data map may contain:
- Source(s) of data ingestion (e.g. a marketing form);
- What data you are collecting (e.g. name, phone, and email);
- The purpose of the data (e.g. send relevant communication over email);
- The handling of the data (e.g. store the information in Oracle Marketing Cloud and sync the consumer to Salesforce);
- The retention timeline of the data (e.g. if the individual doesn’t purchase after 6 months, delete this information).
While the word “map” might imply a visual representation of data systems in use at your company, a data map is often just a table of information, manually compiled in a spreadsheet, or maintained in and exported from a privacy platform.
Although a data map can be built in a spreadsheet, it will grow increasingly impractical and untenable for larger organizations.
According to Rita Heimes, General Counsel and DPO at the IAPP,
“It is quite difficult, for example, to prepare a privacy statement or an internal privacy policy without understanding what data is collected, how it is processed, and with whom it is shared […] Traditional questionnaires, however, include the potential for weak or inaccurate responses, and misunderstanding on the part of those completing the questionnaire who make assumptions and do not or cannot get clarification before submitting their answers.”
Your data map provides an overview of all the data generated in and flowing through your organization. With that overview in hand, you can then understand your obligations under compliance regulations. Just as importantly, with database mapping, you know the sensitive data requires higher levels of protection.
Why is Data Mapping Important for Your Business?
Business produce plenty of sensitive data, and customer data is only a small piece of it. More to the point, every bit of data isn’t equal. Some bits of information prove more important than others and require protection. Some data is shared, repeated, used, or stored in multiple locations. Different parts of organizations will use the same bits of information in different ways.
Data Mapping Challenges
As essential as data mapping is to overall data privacy, it is also one of the biggest challenges in gaining and maintaining privacy compliance.
Too manual and time consuming: While many organizations can manually build their data map through the use of interviews, surveys, and questionnaires, the construction and continuous upkeep is time consuming. Privacy regulations have taken away the luxury of time, but fortunately, software options can streamline the process, making it more accurate and more efficient.
Although a data map can be built in a spreadsheet, it will grow increasingly impractical and untenable for larger organizations. According to Rita Heimes, General Counsel and DPO at the IAPP, “It is quite difficult, for example, to prepare a privacy statement or an internal privacy policy without understanding what data is collected, how it is processed, and with whom it is shared […] Traditional questionnaires, however, include the potential for weak or inaccurate responses, and misunderstanding on the part of those completing the questionnaire who make assumptions and do not or cannot get clarification before submitting their answers.”
The easiest way to ensure your data map is up to date is to automate the data inventory process with a data privacy platform like DataGrail.
Always evolving: Unfortunately, data maps are not one-and-done. Rather, they require continuous upkeep, and organizations must budget for the necessary software and labor. Human maintenance increases the risk of inaccuracies or oversights — while software can free employees for higher-leverage work.
Data mapping best practices
Your organization can address the challenges present in data mapping through a few best practices.
- Get leadership buy-in as part of your privacy by design program. If your executives view this work as unimportant, employees will naturally deprioritize it.
- Carefully consider what personal data requires higher levels of protection. While some of this information is obvious, like data that directly leads to an individual, some of it may be more organization-specific.
- Integrate data map maintenance into software development processes and ongoing changes driven by functions that interact with an individual (i.e. marketing, e-commerce, and human resources).
- Invest in a privacy solution that features data mapping at its core (find out which solutions will fit your company best with our Privacy Management Solution Buyer’s Guide)
Data Map Regulatory Requirements
The EU’s privacy law, the General Data Protection Regulation (GDPR), directly addresses data mapping in Article 30, stating in part:
- Each controller and, where applicable, the controller’s representative shall maintain a record of processing activities under its responsibility.
- Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller.
- The controller or the processor and, where applicable, the controller’s or the processor’s representative shall make the record available to the supervisory authority on requests
The CCPA, CPRA, VCDPA, and forthcoming regulations have similar requirements surrounding data mapping. Every modern privacy law released in the last few years requires that businesses be able to respond to consumer requests, and the easiest way to do so successfully is with an up-to-date data map.
Data mapping’s value as business intelligence
Your data map provides an overview of all the data generated in and flowing through your organization. With that overview in hand, you can then understand your obligations under compliance regulations. Just as importantly, with data mapping, you know the sensitive data requiring higher levels of protection.
To learn more about how a data mapping tool fits into your privacy tech stack, download our Buyer’s Guide for Privacy Management Software.