Privacy Impact Assessment Guide: 7 Best Practices to Master PIAs
One of data privacy’s greatest challenges is that it can all feel...Read Now
August 10, 2023
Data subject access requests (DSARs), records of processing activities (RoPAs), vendor risk management, a dozen other data privacy compliance requirements—all of them depend upon or are significantly facilitated by a map of the personal information your organization processes.
But there’s no hard and fast requirement for a data map in the GDPR, CPRA, or any other data privacy regulation. As a result, many privacy professionals don’t think to investigate data mapping until they start diving into the day-to-day work of their privacy program. After weeks of interviews, dozens of emails, and a labyrinth of spreadsheets, they realize that they need an automated tool.
But as is always the case, not every tool is made equal. Some are inefficient; some substitute the work of manual data mapping with more work of a different kind; some just create yet more work for a privacy professional.
To help privacy professionals spot tools that are more trouble than their worth in advance, we’ve identified five red flags to watch out for in an automated data mapping tool.
Data mapping isn’t unique to data privacy. Knowing where organizational data lives and what types of data are available is important for a wide variety of projects. That might include:
There's a wide variety of tasks that a data scientist can accomplish, but usually, the business wants them to conduct analyses that translate directly to dollars and cents. When privacy professionals need to rely on data scientists to map the organization’s data for compliance purposes, they’ll often find that compliance tasks are de-prioritized in favor of revenue generation.
Making a persuasive business case for your privacy program can mitigate this to a degree, but the reality is that data scientists are always going to be an in-demand resource at any organization. If your automated data mapping tool is owned and operated by the data science function, your privacy program will always be steps behind, and your organizational compliance posture will never be where you want it to be.
Software can do a lot of things, but magic isn’t one of them. Invariably, an automated data mapping tool will run into edge cases, exceptions, and instances where manual effort is required. Consider how you’ll map data from:
In 1955, psychologists Joseph Luft and Harrington Ingham coined the term “unknown unknowns”; that is to say, issues that you aren't aware of and which you lack insight into. Unknown unknowns always appear, and the hallmark of a good tool is being prepared to handle them.
For the “unknown unknown” stores of personal data at your organization, it’s essential that your tool provides a way to facilitate discovery and streamline manual mapping efforts.
When automated data mapping tools make no mention of how they facilitate necessary manual work, they also tend to have a very narrow definition of “automation” and a very narrow scope. For example, an allegedly “automated” data mapping solution might automate just the discovery of personal data stores and not the metadata labeling and tagging that makes downstream compliance activities possible.
Whether you use an in-house automated data mapping tool or a third-party tool, a common issue that privacy professionals run into is being inundated by data stores that need to be investigated. Because data privacy compliance is an ongoing process, new data stores will be added to your data map all the time. Not all of these data stores pose the same level of risk. Some might not be involved in downstream data transfers, for example; they might not store sensitive data; or they might not store large volumes of data.
Some automated data mapping tools present these data stores as equally important. That means you’ll have to spend time manually investigating low-risk data stores while stores that actually pose a high risk remain unmitigated.
But in reality, it isn’t too much to ask for an automated data mapping tool to estimate the level of risk posed by one data store or another. It’s possible to assess the number of exports to vendors, the number of connected systems, the number and types of data fields scored, the number of identities handled, and so on to estimate high-risk versus low-risk data stores.
Since your organization’s data landscape is perpetually changing, you’ll need to use your automated data mapping tool to scan for data stores on a regular basis. When you do, you won’t want to have to wade through a backlog of data stores you’ve already investigated and evaluated as being irrelevant.
Not everything that’s capable of holding personal information will actually do so. Or sometimes you’ll find data stores that require no further action. The right tool will provide quality-of-life capabilities that allow you to flag certain data stores as irrelevant, so you don’t waste unnecessary team re-reviewing something that doesn’t affect compliance.
Non-privacy-focused data mapping tools are often guilty of this, but even some tools meant strictly for privacy professionals suffer the same flaw: They don’t make it easy to actually do anything with your data map.
There isn’t a law that specifically says you need to have a data map for your organization. However, a myriad of regulatory requirements depends upon or are made significantly less tedious with a data map, such as:
That’s why the best data mapping tools for privacy professionals are integrated into an overall compliance platform.
Take Osano for example. Privacy professionals who use Osano as their automated data mapping tool can easily use discovered data for DSARs, to populate their RoPAs, and to quickly filter and search through data stores and associated metadata to identify redundancies, unneeded data, and data stores that are potentially responsive to a DPIA.
In fact, Osano passes all of the tests we described in this article—it:
Schedule a demo of Osano today to see how our automated data mapping capabilities can support your organization’s compliance.
Need to learn how to complete DSARs faster, more accurately, and at scale? Use this interactive checklist to guide you.Download Now
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.