Data Mapping 101: A How-to Guide

The more you foray into data privacy compliance, the clearer it becomes that data mapping is an absolute necessity. But how do you “do” data mapping? What is a data map? What goes into a data mapping exercise? In this blog, we’ll clear up some of the confusion surrounding data mapping for data privacy purposes, answering questions like what is data mapping, why it matters, and what best practices you should adopt when mapping your organization’s data. 

What Is Data Mapping? 

As it turns out, data mapping can mean several different things. 

In this article, we’ll cover the ins and outs of data mapping as it applies to data privacy. So, we won’t be talking about the technical process of mapping fields from one database to another—that’s a different kind of data mapping.  

In data privacy, data mapping refers to generating a map that visualizes all of the stores and flows of personal information (PI) across your organization. 

In essence, data mapping refers to a set of activities aimed at producing a complete picture of all the PI an organization is responsible for. When data mapping, you’ll produce a data inventory and an actual data map. 

• A data inventory is a complete list of all PI an organization is responsible for along with any and all information needed to manage that PI.  
• A data map is a visual representation of some of the information within a data inventory that makes it easier for organizations to manage PI as it flows across systems. 

Data Mapping: Why It’s Important 

Even though data privacy regulations don’t explicitly require a data map, a data map serves as an indispensable foundation for your compliance program. Upon it, you build everything else. 

Companies use data mapping to: 

• Make it easier to respond to but also to respond to data subject access requests (DSARs). 
• Inform data protection impact assessments (DPIAs). 
• Create records of processing activities (RoPAs). 
• Minimize the collection, storage, and use of PI. 
• Monitor vendors more effectively 
• Cut down on noncompliant cross-border data transfers 
• And more. 

Faster DSAR Response 

Most laws require you to respond to DSARs within 30 or 45 days. Meeting those deadlines, especially as your DSARs begin to scale can be costly, both in terms of budget and the opportunity cost of your team’s time.  

According to research by the International Association of Privacy Professionals (IAPP), 47% of respondents said that when it came to fulfilling a data subject request, finding a person’s data within their organization was really difficult. 

Unsurprisingly, it’s a lot harder to find a data subject’s PI if you don’t know where your organization stores personal data. Having a data map in place means you can respond to DSARs faster and with more confidence that you’ve actually fulfilled the data subject’s request. 

Better Informed DPIAs 

DPIA requirements are generally open-ended and vary slightly from law to law, but the GDPR lays out the following requirements when conducting a DPIA: 

• A description of the envisaged processing operations and the purposes of the data processing. 
• An assessment of the necessity and proportionality of the processing. 
• An assessment of the risks to the rights and freedoms of data subjects. 
• The measures taken to address the risks and demonstrate compliance with the GDPR. 

Indirectly, a data map supports many of these requirements. For one, you can’t effectively assess risk if you don’t know what will happen to PI once your organization processes it. You may also already collect and/or process the required data elsewhere in your organization, in which case the correct action wouldn’t necessarily be to re-collect or re-process it. 

Easier RoPA Creation and Maintenance 

Consider the process of creating a RoPA. 

The GDPR requires both processors and controllers to create and maintain a RoPA If the GDPR covers your company, you must document:  

• Why you're processing personal data. 
• What measures you take to protect the data. 
• The recipients to whom you’ll send data. 
• Transfers of data to third countries. 
• The length of time before you'll delete the data. 
• And more. 

If you don’t know where you’re collecting, storing, sending, and processing data, you will not be able to meet this legal requirement. What’s more, you’ll need to maintain and update your data map in order to maintain and update your RoPA. 

Stronger Data Minimization and Purpose Limitation Practices 

The less data your company holds on customers, the less it has to protect, and the less will be your liability should there be a privacy incident. Data mapping gives you the big picture of data collection and processing at your organization, enabling you to reduce redundant, irrelevant, unnecessary, and out-of-date data.  

Better Insight Into Vendor Risk 

Depending on a company’s size, there could be dozens or hundreds of vendors processing your consumers’ personal data. Ultimately, it’s your responsibility to vet how vendors treat (and pass on) the data you've collected in order to protect your consumers.  

Privacy professionals are well aware of the risk that third parties pose when it comes to data privacy compliance—that’s why vendor risk assessments exist.  

One of the major challenges with vendor monitoring, however, is knowing about all the vendors in use at your organization. Today, it’s relatively easy for one department to begin a relationship with a third party that involves the transfer of PI. There might not even be money exchanged; it could be that the third party provides their services as a loss leader or explicitly for consumer PI. 

Data mapping enables you to discover where data flows to different vendors, and what kind of data is being transferred. That means you can prioritize vendor risk assessments based on the nature of the transfers, the sensitivity and volume of the transferred data, and the privacy reputation of the vendors. 

Stronger Cross-Border Data Flow Compliance

If data is crossing borders, it's essential to know where it's going, what laws are at play in both the sending and receiving jurisdiction, and what mechanisms you’re using to ensure the transfer remains compliant. 

For example, the GDPR only permits transfers of EU residents’ data to a country outside of the EU under certain circumstances. This includes an adequacy decision (i.e., EU authorities have decided that the receiving country has adequate protections in place), standard contractual clauses, binding corporate rules, and a few other niche mechanisms. 

For transfers between the EU and U.S., the Data Privacy Framework earned a recent adequacy decision (though it remains on shaky legal ground).  

Without a comprehensive data map, your organization could easily be unwittingly transferring data to other jurisdictions. Vendors may operate in other countries, or you may be accidentally transferring data that should stay in one jurisdiction to an office in another jurisdiction. 

Best Practices for Data Mapping 

Unsurprisingly, there are many different approaches to mapping your data, each of which will have its own set of benefits and challenges. Nevertheless, there are some common best practices you should keep in mind when exploring data mapping options. 

Make It One of Your Privacy Professional’s Core Responsibilities 

Like compliance itself, data mapping is an ongoing process; not a one-and-done task. That means data mapping isn’t an appropriate task to assign to, say, your IT personnel, who have a slew of other responsibilities to attend to and will be therefore more inclined to treat it as a special project.  

Data mapping is best handled by a dedicated privacy professional whose sole responsibilities are compliance activities like data mapping. 

Prioritize Mapping Systems With the Riskiest Data 

If you’re aware of systems that collect, process, and/or store sensitive data or particularly large quantities of data, that’s where you should begin your data mapping work. Odds are, there will be downstream flows that need to be accounted for, opportunities to reduce unnecessary data collection, or additional security measures you can employ. 

Acknowledge Unknown Unknowns 

You may not know exactly what privacy risks exist in your organization’s various systems, but you at least know where to look to find out—right? 

In reality, you’ll almost never have a complete picture of all the systems and PI collection points at play in your organization. It’s important to acknowledge this reality and make plans to discover where unknown stores of PI may exist. 

Avoid the Data Science Bottleneck 

One approach to mapping your organization’s PI landscape is to leverage business intelligence and data science resources. 

There’s a major drawback to this approach, however; if your organization has these resources in place, it’s generally because they’re needed for a multitude of tasks. Data privacy compliance, unfortunately, will likely fall low on the list of data science priorities. Even when privacy-focused data mapping’s turn comes up, the data science team likely won’t have the same understanding of requirements as a privacy professional would. 

Use an Automated, Privacy-Focused Data Mapping Tool  

As a consequence, it’s best to secure a privacy-focused, automated data mapping tool that your privacy professionals can use without being reliant on external teams and processes. 

If they don’t want to wait on data science resources, of course, your privacy team could just open up a spreadsheet and get to mapping—but this approach is prohibitively tedious. By the time you finish mapping your data with a spreadsheet, it’ll already be out of date anyhow! 

Consider automated data mapping tools instead. These make it easy to find, record, and work with PI, data stores, and data flows across multiple systems. Osano Data Mapping is a great example of one such tool. 

Book a demo with us to learn how mapping your data with the Osano platform can set your organization’s privacy program up for long-term, effective compliance.