Intelligent & Informed Privacy Leadership
Poppulo is the leading enterprise digital signage and employee communications platform. As Senior Associate Counsel, Adrienne Komogorov led an impactful data mapping exercise at Poppulo to give the organization strategic oversight of privacy risk across the business.
In this spotlight, we share Komogorov’s guidance for fellow privacy professionals beginning a data mapping exercise.
Records of Processing Activities (RoPAs) and data mapping in general are mandatory components of GDPR compliance. But compliance isn’t the only reason to start data mapping, and you don’t need to focus these conversations on fear. Komogorov shares 3 more reasons privacy teams should start data mapping:
1. Customers expect it.
Customers everywhere have caught up on data privacy trends. Being able to show off your compliance posture is a critical component of closing the deal.
2. It’s a way to prioritize.
Without visibility into where your data lives and what it contains, you can’t truly identify highest risk items needing attention. Data mapping insights empower informed decisions spanning from eliminating duplicative vendors to converting systems to single-sign on (SSO) authentication and beyond.
3. It’s an opportunity to stand out.
“While customers expect data privacy prowess, not everyone has prioritized it,” Komogorov explains. A data map gives you the means to distinguish yourself from competitors with a more sophisticated privacy posture.
Before you start, identify your privacy champions. Your goal isn’t to drop a privacy problem on an unsuspecting department, you want to find collaborators eager to share your discoveries. Komogorov recommends looking for support in your executive and compliance teams, typically including IT and Security. Prep your stakeholders ahead of time so they can project workloads appropriately.
From there, take a basic inventory. “DataGrail connects to systems like Okta and Salesforce to catalog any shadow IT across your organization. This will be the start of your cross-collaboration efforts. Find the administrators on these accounts” Komogorov outlines.
To give Poppulo a full picture of what to prioritize as a business, Komogorov launched Responsible Data Discovery, an automated process to detect and classify sensitive data. Lastly, she personally vetted details of higher risk systems and associated them with Processing Activities. This ensured these systems would be accurately represented in RoPAs going forward.
Keep your data map relevant beyond your first RoPA. “Treat it as a living document,” Komogorov advises. “This is not a set-it-and-forget-it exercise.”
Komogorov uses DataGrail’s notifications to stay informed when new systems are discovered and triage detected risks like AI capabilities, sensitive data usage, or high volumes of personal data processing. Continuously monitor privacy risk in your organization to stay ahead of legislation.
Return to your identified champions. Your data map will help inform your privacy compliance strategy, but it also benefits other teams. Komogorov says, “This is an invaluable tool to the business whether you are looking to prioritize security enhancements, undergoing M&A due diligence, or seeking to streamline vendor management, just to name a few.”
