Since the inception of GDPR, millions of companies around the globe are racing to implement data privacy programs to demonstrate compliance to regulators, and keep up with the on-going demand of privacy requirements from their customers.
Consumers and laws are demanding companies understand how personal data is handled, and where it might exist. An up-to-date data map is vital for compliance with the new wave of privacy laws such as GDPR in Europe, or CCPA in the United States.
In order to get a holistic view of where to start and what’s required, organizations must understand what aspects of their organization may have privacy requirements, or need addressing. Depending on the company, there could be few or many areas that will need coverage when operating your privacy program. The data map helps establish what these areas and requirements are.
The starting point for many privacy programs around the globe is beginning to document your personal data across your organization. This can be extremely challenging if you are taking on this task while your business has been operating for several years. In this article, we cover exactly how to kick off this process.
What is a data map?
There are a few terms that industry folks might refer to when referencing data mapping including data flow, Records of Processing, GDPR Article 30, data inventory, or CCPA personally identifiable information disclosure. These terms are interchangeable, and the concept is the same: a thorough understanding or documentation of how your company processes personal data, and how it flows in or out of your organization.
A good way to think of your data map is the who, why, and what around your data processing. In a nutshell, the data mapping process and documentation uncovers some important questions for your privacy program:
- What personal data does my company collect?
- How long does my company retain this data for, and how do we delete it?
- Why does my company collect and process this data?
- How does my company process this data?
- Where does this data come from?
- If digital, what business system hosts this data?
- Where does this data geographically reside?
- Who do we share this data with?
The objective of your data mapping documentation is to provide a high-level overview of every piece of personal data in your business databases. Although the idea of data mapping seems obvious, building one can be daunting, cumbersome, and complex. Companies add new departments as they grow, and often we see silos created across the organization, making recording different 3rd party systems and vendors very difficult to manage, and governance becomes a nightmare.
Can you just do this later and as you go? Absolutely not. Especially if you do business in jurisdictions like Europe or California. If you don’t know what personal data exists, and where – demonstrating compliance is impossible since you won’t know where to start if you have a data breach or a data subject request due in a few days before it’s in violation.
Why do you need a data map?
Data continues to become more essential as companies modernize and scale up. Your company will continue to lean on data more and more to drive business decisions and increase revenue. Concurrently, more and more data privacy legislation is being introduced around the globe making compliance more complex. At the base of each legislation, your data map will be a tool to help you map what your compliance requirements are.
Compliance
The data map is often the starting point for privacy program kick-offs, and often cost of compliance is used as the key driver. The cost of compliance could be hefty. Since the inception of Europe’s GDPR, we’ve seen over $300M in fines issued from European countries to businesses worldwide. These fines are not looking to slow down anytime soon, and will continue to accelerate as new regulations roll out.
Increased Revenue, Shorter Sales Cycles
A recent survey from Cisco shows that 74% of consumers won’t purchase products that don’t adhere to consumer privacy. Businesses that have privacy compliance and programs already, are seeing as much as a 90% drop in their B2B sales cycle duration.
When winning over B2B vendor deals, or trying to win over customers – having a data map becomes important, so you can have context on your businesses data processing to help with vendor questionnaires, policy notices, and contract development.
Brand Trust
75% of shoppers will prioritize brand trust over price when purchasing a product. Providing privacy assurances and disclosing them to your customers will help your customers understand that their personal data is respected at all times.
What does a data map look like?
A data map should contain (at minimum) some high level information about personal data and how your business processes it. It’s not the exhaustive list of detail you might need to account for, but it’s a great starting point for your first data map to comply with laws such as GDPR or CCPA. This document is often produced as a spreadsheet.
If you’d like to know how to do this in an automated way, reach out to us for a demonstration of our Automated Data Mapping tool.
| Name of business function processing the data | A reference to the team within your company that will be using the data e.g. marketing, sales, HR, engineering etc. |
| Purpose of processing | A justification for collecting the data in the first place, what is being done with the data or the legal basis for processing it. |
| Name and contact details of joint controller | If your company is deciding the purpose for the collection of personally identifiable information, you are classified by GDPR as the ‘controller’. If your company is processing data on behalf of another organization then you are classified as the ‘processor’. It is most likely that your company acts as both controller and processor, but you may use other third-party processors too. The best approach for the purposes of compliance is to record the contact details of your Data Protection Officer within your company. This person will be the go to point of contact for the data that is being recorded in your data map and there may be multiple or joint controllers across your organization who are responsible for different data categories |
| Categories of personal data | The category that the data that you are collecting falls into e.g. personal identification data, location data, health data, financial data, etc. |
| Types of personal data | The exact type of data that is being processed. e.g. name, address, email, phone number, etc. |
| Categories of recipients | This is a reference to the person or organization that will be processing the personally identifiable information e.g. your company’s customer support team, marketing team, financial controller, third party SaaS provider, etc. |
| Link to contract with processor | If the processor is internal, this can be a link to your employee guidelines on the handling of personal identifiable information. If the processor is external, this should be a link to the agreed contract – known as the Data Processing Agreement (DPA) – with that third party. The DPA contains their obligations in regard to the protection of any personally identifiable information they are processing on your company’s behalf. |
| Data format | The format of the data stored by your company i.e. digital or hardcopy. |
| The source of the personally identifiable information | How and where you are collecting any personally identifiable information from e.g. website, social media, email, telephone, paper-based forms, in-store etc. |
| Method of data transfer | The places where that data are transferred to and from e.g. physical records in-store or in the office, email, internal documentation, internal software, instant messenger, third party software, third party communication, etc. |
| Location of personal data | The digital locations of data storage e.g. database, email, instant messenger, internal documentation, etc. |
| Retention schedule | The length of time a company stores personally identifiable information for before it is erased. Is your company storing personally identifiable information on a permanent or semi-permanent basis? Ideally, data should be kept for no longer than is necessary for the purposes for which it is being processed in line with GDPR’s recommendation on data minimization. |
| General description of technical and organizational security measures | A description of the measures in place that your company uses to protect PII from unauthorized access e.g. encrypted storage, access controls, password-protected, locked filing cabinets, clear desk policy, etc. |
Global Privacy State of Play: What to Pay Attention to in 2023
There is no better way to kick things off in 2023, and just before Data Protection Day, th…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
