A Major Milestone for Osano...and the Industry
When we founded Osano, our goals were ambitious. We wanted to...Read Now
November 1, 2022
The more you foray into data privacy compliance, the clearer it becomes that data mapping is an absolute necessity. But how do you “do” data mapping? What is a data map? What goes into a data mapping exercise? In this blog, we’ll clear up some of the confusion surrounding data mapping for data privacy purposes, answering questions like what is data mapping, why it matters, and what best practices you should adopt when mapping your organization’s data.
As it turns out, data mapping can mean several different things.
In this article, we’ll cover the ins and outs of data mapping as it applies to data privacy. So, we won’t be talking about the technical process of mapping fields from one database to another—that’s a different kind of data mapping.
In data privacy, data mapping refers to generating a map that visualizes all of the stores and flows of personal information (PI) across your organization.
In essence, data mapping refers to a set of activities aimed at producing a complete picture of all the PI an organization is responsible for. When data mapping, you’ll produce a data inventory and an actual data map.
Even though data privacy regulations don’t explicitly require a data map, a data map serves as an indispensable foundation for your compliance program. Upon it, you build everything else.
Companies use data mapping to:
Most laws require you to respond to DSARs within 30 or 45 days. Meeting those deadlines, especially as your DSARs begin to scale can be costly, both in terms of budget and the opportunity cost of your team’s time.
According to research by the International Association of Privacy Professionals (IAPP), 47% of respondents said that when it came to fulfilling a data subject request, finding a person’s data within their organization was really difficult.
Unsurprisingly, it’s a lot harder to find a data subject’s PI if you don’t know where your organization stores personal data. Having a data map in place means you can respond to DSARs faster and with more confidence that you’ve actually fulfilled the data subject’s request.
DPIA requirements are generally open-ended and vary slightly from law to law, but the GDPR lays out the following requirements when conducting a DPIA:
Indirectly, a data map supports many of these requirements. For one, you can’t effectively assess risk if you don’t know what will happen to PI once your organization processes it. You may also already collect and/or process the required data elsewhere in your organization, in which case the correct action wouldn’t necessarily be to re-collect or re-process it.
Consider the process of creating a RoPA.
The GDPR requires both processors and controllers to create and maintain a RoPA If the GDPR covers your company, you must document:
If you don’t know where you’re collecting, storing, sending, and processing data, you will not be able to meet this legal requirement. What’s more, you’ll need to maintain and update your data map in order to maintain and update your RoPA.
The less data your company holds on customers, the less it has to protect, and the less will be your liability should there be a privacy incident. Data mapping gives you the big picture of data collection and processing at your organization, enabling you to reduce redundant, irrelevant, unnecessary, and out-of-date data.
Depending on a company’s size, there could be dozens or hundreds of vendors processing your consumers’ personal data. Ultimately, it’s your responsibility to vet how vendors treat (and pass on) the data you've collected in order to protect your consumers.
Privacy professionals are well aware of the risk that third parties pose when it comes to data privacy compliance—that’s why vendor risk assessments exist.
One of the major challenges with vendor monitoring, however, is knowing about all the vendors in use at your organization. Today, it’s relatively easy for one department to begin a relationship with a third party that involves the transfer of PI. There might not even be money exchanged; it could be that the third party provides their services as a loss leader or explicitly for consumer PI.
Data mapping enables you to discover where data flows to different vendors, and what kind of data is being transferred. That means you can prioritize vendor risk assessments based on the nature of the transfers, the sensitivity and volume of the transferred data, and the privacy reputation of the vendors.
If data is crossing borders, it's essential to know where it's going, what laws are at play in both the sending and receiving jurisdiction, and what mechanisms you’re using to ensure the transfer remains compliant.
For example, the GDPR only permits transfers of EU residents’ data to a country outside of the EU under certain circumstances. This includes an adequacy decision (i.e., EU authorities have decided that the receiving country has adequate protections in place), standard contractual clauses, binding corporate rules, and a few other niche mechanisms.
For transfers between the EU and U.S., the Data Privacy Framework earned a recent adequacy decision (though it remains on shaky legal ground).
Without a comprehensive data map, your organization could easily be unwittingly transferring data to other jurisdictions. Vendors may operate in other countries, or you may be accidentally transferring data that should stay in one jurisdiction to an office in another jurisdiction.
Unsurprisingly, there are many different approaches to mapping your data, each of which will have its own set of benefits and challenges. Nevertheless, there are some common best practices you should keep in mind when exploring data mapping options.
Like compliance itself, data mapping is an ongoing process; not a one-and-done task. That means data mapping isn’t an appropriate task to assign to, say, your IT personnel, who have a slew of other responsibilities to attend to and will be therefore more inclined to treat it as a special project.
Data mapping is best handled by a dedicated privacy professional whose sole responsibilities are compliance activities like data mapping.
If you’re aware of systems that collect, process, and/or store sensitive data or particularly large quantities of data, that’s where you should begin your data mapping work. Odds are, there will be downstream flows that need to be accounted for, opportunities to reduce unnecessary data collection, or additional security measures you can employ.
You may not know exactly what privacy risks exist in your organization’s various systems, but you at least know where to look to find out—right?
In reality, you’ll almost never have a complete picture of all the systems and PI collection points at play in your organization. It’s important to acknowledge this reality and make plans to discover where unknown stores of PI may exist.
One approach to mapping your organization’s PI landscape is to leverage business intelligence and data science resources.
There’s a major drawback to this approach, however; if your organization has these resources in place, it’s generally because they’re needed for a multitude of tasks. Data privacy compliance, unfortunately, will likely fall low on the list of data science priorities. Even when privacy-focused data mapping’s turn comes up, the data science team likely won’t have the same understanding of requirements as a privacy professional would.
As a consequence, it’s best to secure a privacy-focused, automated data mapping tool that your privacy professionals can use without being reliant on external teams and processes.
If they don’t want to wait on data science resources, of course, your privacy team could just open up a spreadsheet and get to mapping—but this approach is prohibitively tedious. By the time you finish mapping your data with a spreadsheet, it’ll already be out of date anyhow!
Consider automated data mapping tools instead. These make it easy to find, record, and work with PI, data stores, and data flows across multiple systems. Osano Data Mapping is a great example of one such tool.
Book a demo with us to learn how mapping your data with the Osano platform can set your organization’s privacy program up for long-term, effective compliance.
Are you looking to upgrade your privacy program's operational maturity? Or maybe you're looking to establish your first privacy program? Osano's Privacy Program Maturity Model can pinpoint your next steps.Download Now
The Osano staff is a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet. Occasionally, the team writes under the pen name of our mascot, “Penny, the Privacy Pro.”