To average consumers, data privacy seems easy: nobody is allowed to see their data unless they say so. However, for organizations tasked with protecting personal data, data privacy isn’t as clear-cut.
Companies generate mountains of data, and consumer data is only a small piece of it. More to the point, every bit of data isn’t equal. Some bits of information prove more important than others and require protection. Some data is shared, repeated, used, or stored in multiple locations. Different parts of organizations will use the same bits of information in different ways.
The EU’s privacy law, the General Data Protection Regulation (GDPR), directly addresses this in Article 30, stating in part:
- Each controller and, where applicable, the controller’s representative shall maintain a record of processing activities under its responsibility.
- Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller.
- The controller or the processor and, where applicable, the controller’s or the processor’s representative shall make the record available to the supervisory authority on request.
As of May 2019, California’s privacy act’s (CCPA) disclosure and transparency requirements aren’t as detailed, but this could change in the future.
To be compliant with GDPR, CCPA, and forthcoming privacy laws, knowing what data your organization collects and the processing thereof are crucial.
What Is Data Mapping?
Data mapping is discovering what data you collect, where it’s stored, with whom it’s shared, how long it’s retained, and for what purposes it’s used. This requires a formal inventory of data ingress — such as customer registration, systems, fields within the systems, and connections between systems. And of course, to be useful, the data map must be more than a static snapshot of a point in time: it needs to be actively maintained as your organization grows and evolves.
For example, a data map may contain:
- Source(s) of data ingestion (e.g. a marketing form);
- What data you are collecting (e.g. name, phone, and email);
- The purpose of the data (e.g. send relevant communication over email);
- The handling of the data (e.g. store the information in Oracle Marketing Cloud and sync the consumer to Salesforce);
- The retention timeline of the data (e.g. if the individual doesn’t purchase after 6 months, delete this information).
Although a data map can be built in a spreadsheet, it will grow increasing impractical and untenable for larger organizations.
Your data map provides an overview of all the data generated in and flowing through your organization. With that overview in hand, you can then understand your obligations under compliance regulations. Just as importantly, with data mapping, you know the sensitive data requiring higher levels of protection.
As Richard Macaskill wrote for Dataversity, your system “will immediately flag up any access controls that are required, and where measures like pseudonymization, encryption, anonymization and aggregation should be adopted. If copies of databases are used in development and testing, for example, personal data should be masked.”
Data varies wildly in sensitivity, and your data map can be used to understand necessary security measures and reduce your attack surface. For example, as Macaskill points out, “individuals will need permission to view, modify or delete only the personal data that is relevant to their job role, and for which appropriate consent has been obtained.”
The smaller the attack surface and the more controls built into your data processing, the lower your risk of a data breach. Data mapping isn’t a 100% foolproof means for preventing a breach, as there are too many variables at play for any organization to be completely safe, however, it’s more difficult for hackers and malicious insiders to gain illicit access to data.
And even if the nightmare scenario of a breach occurs, a data map improves response and recovery time by allowing you to pinpoint what information was compromised, and do so quickly to meet the GDPR’s strict reporting timeframe.
Data Mapping Challenges
As essential as data mapping is to overall data privacy, it is also one of the biggest challenges in gaining and maintaining privacy compliance. According to research from ISACA, data discovery and mapping was listed as the number one preparation challenge.
While many organizations can manually build their data map through the use of interviews, surveys, and questionnaires, the construction and continuous upkeep is time consuming. Privacy regulations have taken away the luxury of time, but fortunately, software options can streamline the process, making it more accurate and more efficient.
Unfortunately, data maps are not one-and-done. Rather, they require continuous upkeep, and organizations must budget for the necessary software/labor. Human maintenance increases the risk of inaccuracies or oversights — while software can free employees for higher-leverage work.
Your organization can address the challenges present in data mapping through a few best practices. They include:
- Get leadership buy-in as part of your privacy by design program. If your executives view this work as unimportant, employees will naturally deprioritize it.
- Carefully consider what personal data requires higher levels of protection. While some of this information is obvious, like data that directly leads to an individual, some of it may be more organization-specific.
- Integrate data map maintenance into software development processes and ongoing changes driven by functions that interact with an individual (i.e. marketing, e-commerce, and human resources).
The GDPR requires documentation of processing and systems; the CCPA requires transparency disclosures for the collection and sharing of personal information. It’s crucial to keep in mind that future regulations will only add to this complexity. In turn, building and maintaining a data map allows your organization to comply and demonstrate compliance with current and new privacy regulations.