How do you conduct a data map?

What is data mapping?

At a basic level, data mapping involves taking a set of data and mapping its destination. Typically, companies do this to make their data more accessible and structured, not only for their teams, but also for their customers. Data mapping also identifies personal and non-personal information across systems, then assembles it in one place so you can easily find, track, and protect it.

Of course, companies employ data mapping for another, greater purpose: The General Data Protection Regulation (GDPR) requires it. In this vein, companies use data mapping to not only perform data protection impact assessments (DPIAs), but also to respond to data subject access requests (DSARs) and create records of processing activities (RoPAs).

And though data mapping is mandatory, it’s still beneficial for organizations — in fact, it can yield significant kickbacks, especially for privacy compliance.

Data mapping: Why it’s important

Data mapping is the roadmap to your compliance program. Upon it, you build everything else. Even if the GDPR didn't require documentation on the records you process (spoiler alert: it does), it’s still essential to understand the data you're collecting across multiple systems and databases. 

It comes down to this: If you don't know where your data is, you don't know where the threats live, nor where your opportunities are. 

Prior to GDPR’s inception in 2018, the data landscape was a Wild West of sorts. Before strict rules were set in place about what companies could and couldn’t do with personal data, the general approach was a data land grab.

Even small companies collect large amounts of data from website visitors. Departments within companies — like marketing, IT, HR, and others — also collect data for various purposes. This information often spans many systems.

From a legal compliance standpoint, companies are required to maintain "records of processing activities” under the GDPR. If the GDPR covers your company, you must: 

• Demonstrate why you're processing personal data
• Disclose the recipients to whom you’ll send data
• Disclose transfers of data to "third countries" (and the length of time before you'll delete the data).

Why have all of this prepared? If there's a breach at your company or with one of your vendors, you’ll want to have that documentation ready for disclosures on where it lived, with whom you shared it, etc. 

Starting an investigation from scratch while regulators wait and watch will not only tell them you’re not compliant with GDPR’s Article 30 (records of processing activities); the process will also be significantly more stressful. 

Consider it this way: The less data your company holds on customers, the less it has to protect. Use data mapping to reduce data collection — keeping only necessary, relevant, and up-to-date information. 

Best practices for mapping data

In a global 2021 survey by the International Association of Privacy Professionals, 47% of respondents said that, when it came to fulfilling a data request, finding a person’s data within their organization was really difficult. 

In other words? Data discovery is an overwhelming task. Too many cooks in the kitchen can be a bad thing. Pro-tip on that: Assign a data protection officer to spearhead the data mapping process, and minimize the likelihood of data slipping through the cracks.

When you set out to map data, explore every place in which you interact with customers. If you're data mapping for GDPR-compliance purposes, it makes sense to use the GDPR's definition: "Any information which are related to an identified or identifiable natural person." This type of data is typically a customer’s credit card number, phone number, address, or other similar piece of information. 

But know this: New privacy laws in other countries and territories are popping up regularly these days; the GDPR's definition of personal data may not always be the default. Increasingly, privacy laws incorporate broader understandings of what personal data means. California's privacy law has its own definition, for example.

What to do with ‘floating data’

Frequently, data mapping reveals data “floating” within a company’s database that no one seems to own. It was collected and stored, but there's no documentation of its origins, why it's needed, or who's responsible for its safekeeping. 

Likely, various functions within your organization may be using the “floating” data set for different purposes, but the two roles aren't communicating with each other. This can be dangerous. 

Say a data subject files a DSAR, as permitted under the GDPR and the California Consumer Privacy Act (CCPA). It’s imperative to have a comprehensive report available. If you provide the data your marketing team collected about them but didn't realize the sales team was also using some of that data, you've got a problem. You must be able to explain why, specifically, you’re using their data and under which legal allowance.

Data mapping for data controllers and service providers

The GDPR requires data controllers to maintain data records management. A controller is an entity that makes decisions about what happens to the information within its system. 

Under the GDPR, if you’re a controller handling a data map, you must answer: Under which legal basis are you collecting the information? You can find respective answers under Article 6 of the GDPR.

While the CCPA/CPRA don’t have direct definitions for a data controller, they often use the terms “business” or “service provider” in the same vein. These roles are defined as “an entity that determines the purposes and means of processing a consumer’s personal information,” and they’re also tasked with data mapping efforts. 

Arguably, the biggest reasons to data map for CCPA and GDPR compliance include being able to swiftly and accurately fulfill DSARs; identifying PII (or personally identifiable information); protecting PII; and tracking it.

Is vendor monitoring important for data mapping?

Once you determine the data your organization collects, now identify the data you share with vendors or sister organizations. Understanding what data goes to which vendor allows you to decide how to treat each data set.

You can automate vendor monitoring through data mapping software solutions, and there’s good reason to do so. 

Depending on a company’s size, there could be hundreds of vendors processing data — and those vendors could be using vendors of their own. Ultimately, it’s your responsibility to vet how vendors treat (and pass on) the data you've collected. Additionally, vendors frequently make changes to their policies, whether because of shifting imperatives or in response to new regulations. 

It would take a full-time, dedicated worker to manually touch base with each vendor associated with your business to check on these changes. Software solutions that can alert you to said changes can be the difference between high- and low-risk partnerships.

A new data privacy framework for cross-country data sharing

In 2020, the Court of Justice of the European Union (CJEU) invalidated Privacy Shield, the data transfer mechanism many companies relied on to transfer data from the EU to the U.S.

Why?

The EU wasn’t satisfied with America’s ability to adequately protect European data. It doesn’t help that, despite several other countries adopting federal-level privacy laws, the U.S. still doesn’t have one (a big red flag to the EU). The territory was especially concerned that law enforcement agencies could conduct mass surveillance on a broad swath of communications thanks to allowances in post-911 anti-terrorism rules.

Plus, the CJEU also posited that standard contractual clauses, another mechanism companies use to transfer data, should be examined on a case-by-case basis.

The good news? In October 2022, the Biden Administration and the EU enacted the European Union-U.S. Data Privacy Framework. Among other sweeping changes, this executive order instills new safeguards to address the EU’s concerns, particularly by limiting access to the territory’s data by American intelligence.

Why is cross-country data sharing important for data mapping?

Put simply, if data is crossing borders, it's essential to know where it's going and what contracts you're using to get it there. If you realize you're transferring data without a legal agreement, it might be time to decide where to store that data.

After a data mapping exercise, some companies will decide to move the data to a storage center elsewhere. Suppose you can't legally transfer the data overseas. In that case, it's likely possible to store the data in a cloud located in the same jurisdiction as data subjects about whom you've collected data.

Privacy compliance is just the beginning

Once you understand the data you collect, with whom you share it, and where it flows, it's time to make some strategic decisions. Now, you can better determine how to use your data to develop and grow your product. And that can be a good selling point to the C-suite when you start vying for data map execution. 

If and when you get approval to begin data mapping, don’t make it harder than it needs to be: Consider data mapping tools with built-in automation. These automate the process, making it easy to find and categorize personal and non-personal data across multiple systems. These data mapping tools will also make it easy to quickly discover data relationships within your organization by scanning different systems, homogenizing data, and creating a searchable database.

Osano’s Data Discovery tool is easy to implement and easy to use. Our AI-driven tool will collect and classify data in less than an hour — even fragmented and obscure data. Book a demo with us to learn how we can help you automate privacy rights fulfillment, demonstrate compliance, and build trust with customers by relentlessly protecting their data.

What are the techniques of data mapping?

What should a data map include?

What tools are used for data mapping?

What is the purpose of a data map?