Data Privacy Buy-In: The Usual Suspects and What to Say to Them
Getting the business to say “yes” to data privacy isn’t easy. Yet it...
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Published: September 6, 2024
In our recent webinar, It’s Time to Think About Data Mapping Differently, a poll revealed some interesting information: Nearly 50 percent of respondents house their data map in a spreadsheet. (Roughly 15 percent say they don’t have a data map at all, but that’s a topic for a different blog.)
Based on our experience, this isn’t entirely unexpected. It’s common for privacy teams to use a spreadsheet to map where their organization collects, processes, and transfers consumers’ personal data. Many organizations seeking to improve their data privacy compliance posture will turn to the ubiquitous spreadsheet for help or follow the lead of other teams who adopted spreadsheets as data maps.
Thinking of doing the same? Don’t go down that path.
For organizations that are serious about data privacy management, a spreadsheet cannot compare to a dedicated data map. Like a pitcher plant, the spreadsheet lures you in with its familiar format and low cost. Before you know it, you’re prey to a labor-intensive asset that doesn’t help you achieve compliance (and in some cases, actually becomes a barrier). The allure of the spreadsheet is hard to resist, but for the sake of your company and your own sanity, please try.
As with all traps, foreknowledge is your best defense against falling victim to the spreadsheet trap in the first place. Let’s break down how and why organizations fall into the spreadsheet trap and what alternative approaches they should seek when mapping their data.
First, let’s review the basics of data mapping.
Simply put, data mapping is the process of creating a detailed map that visualizes how personal information is stored, processed, and transferred across, into, and out of your organization. Most data privacy laws don’t have explicit requirements around data maps, but without one, achieving and maintaining compliance is a lot harder. Data maps are essential to meeting requirements like subject rights requests, data protection, vendor management, and more in a thorough and timely manner.
As the name suggests, data maps are...maps. They literally visualize how data flows through your organization. Your data inventory, which contains the tags and metadata you need to understand your organization’s systems and data stores, is the structure behind that visualization.
A spreadsheet is not a map—but there’s a logical reason why many privacy teams turn to spreadsheets to map data.
Though data privacy regulations have proliferated in the US and around the world and privacy management is becoming a bigger priority for businesses, many organizations still take a reactive approach to data privacy or view it as an afterthought.
But then a similar organization gets hit with a fine for noncompliance. Or a regulator announces an investigative sweep that affects you. Or someone offhandedly mentions GDPR compliance in a meeting. Then data privacy becomes a priority, and you need to become compliant: Effective immediately.
Panic sets in. And the spreadsheet is right there.
It’s a known quantity that can help you fill in the gaps quickly. With it, you can track subject rights requests, fill out assessments, create your record of processing activities (RoPAs), and, of course, list out the systems where you store data and what kind of data you store. For a while, it works.
Nothing is all bad, and that includes spreadsheet-based data maps. There are some advantages, including:
Most people have access to spreadsheets, they’re straightforward to edit and modify, and the odds are good that somebody at your organization is a spreadsheet wizard.
Spreadsheets come with most workplace application suites, whether it’s Google, Microsoft, or another player. Nothing’s cheaper than using a tool you already have. But there are hidden costs, which we will talk about in a moment.
If you don’t know the first thing about data mapping, you have to start somewhere. It can be helpful to create a spreadsheet and see where it meets your needs and where it doesn’t. Unsurprisingly, you’ll find there are a lot of things you wish your spreadsheet could tell you that it simply cannot. The exercise of trying to make it work can help you uncover what those wish list items are.
The problems start when data mapping gets complicated—which it nearly always does sooner than not. Two cons that immediately become obvious when using a spreadsheet in general: Spreadsheets have limited automation capabilities, and they are highly prone to human error. But there are other disadvantages that apply to data mapping specifically.
Maps are visual. They provide cues and at-a-glance insights that you can’t glean from rows and columns. With a true data map, you can see the relationship between systems, the flow of data throughout your ecosystem, where you have redundancies, and more. A spreadsheet can do a lot of things, but not that.
If you use a spreadsheet for data mapping, it will become unwieldy almost immediately. Most people underestimate the amount of data they need to account for. As a spreadsheet sprawls to accommodate more and more, it eventually becomes impossible to find necessary information. Not to mention, data and organizational growth is fast and dynamic. Updating your data map as you add or remove data, systems, and processing activities is itself a full-time job.
Somebody’s going to own your data map. But effective data privacy compliance requires collaboration across the organization. Your IT team may know the most about the overall technology mix at play in your organization, but each team will control individual systems that may or may not be processing personal data. It needs to be easy for these other stakeholders to contribute to your data map. The first challenge is that spreadsheets are terrible for collaboration.
But more critically, if your data map is in a spreadsheet, then it may be siloed in a drive that’s inaccessible to other stakeholders. And if that person leaves? You need to transition the data map to a new individual or worse, risk losing that information completely.
Do you have all of the know-how associated with data privacy regulations at your fingertips? What about when it all changes, as it does constantly?
It’s a lot to ask for one person to know everything about the regulations that your organization is subject to, keep track of changes to those regulations, and quickly absorb the requirements of new regulations that affect you. It’s even more to ask that you track all that information in an unwieldy data map spreadsheet. That burden inevitably sets the privacy team up for failure and increases the risk of noncompliance. Don’t do that to yourself or your organization.
If spreadsheets aren’t the answer, what is?
A true data mapping solution addresses all of the shortcomings of the spreadsheet:
If you’re looking for a data mapping solution, there are a few things to keep in mind:
You need a data map designed specifically designed for data privacy requirements. There are IT-driven data mapping solutions, but they focus on system-level mapping rather than the data those systems contain.
Furthermore, IT-driven data mapping solutions tend to be general-purpose, business-intelligence (BI) tools. Often, these solutions are managed by a data scientist or BI specialist—which means you’ll have to compete with other stakeholders for their time and expertise. While these IT-driven data mapping solutions are solving other business problems, data privacy compliance will have to wait in line.
Think about maintenance. For example, a solution that requires you to maintain a 1:1 solution for every data source in your organization will become extremely labor-intensive, especially if data lives in dozens or even hundreds of different systems (which is common, even in smaller organizations). Look for a system that lets you use “umbrella sources” to streamline data discovery and integration maintenance.
If your data map currently lives in a spreadsheet, you’re not irredeemably trapped—not by technology or the sunk-cost fallacy. Not only can you transition your spreadsheet data to a data map, but it’s also easier than you think. Many privacy pros have migrated from spreadsheets into more robust data mapping solutions without sacrificing the work they’ve already done—find out more in our migration guide.
Or, to see for yourself how Osano does it, schedule a demo of Osano Data Mapping. We’ll be happy to walk through the ins and outs of our data mapping solution and how it can help you manage your organization’s data privacy compliance.
Curious about some of the best practices to follow when mapping your data for privacy compliance? Our checklist guides you through the steps you need to take.
Download Now
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.