Data Mapping Do’s and Don’ts

By: Dan Rogers and Jerry McIver

Businesses and other organizations collect, store, and process data every day. Some of this data is protected by data privacy laws and regulations, which lawmakers across the country are updating and expanding in scope, reach, and enforcement. These regulations exist to hold users and brokers of personal information, generally businesses, accountable for storing, using, and sharing of personal information and to protect the consumer.

To comply with the new privacy regimes, organizations must assess their privacy and security stance and become aware of their use of private data at a minimum.  Ideally, the organization should develop a privacy program.  Either way, organizational privacy awareness all starts with data mapping.

What is Data Mapping?

Data mapping is the first step an organization takes towards developing a privacy program, and is necessary to understand what types of data it has and where it’s located. By using data discovery software, privacy specific tools, and answering a series of questions, an organization can uncover what data it has, where it is located, how it is being used, and who has access to it.

After completing a data mapping exercise, the deliverable will show how the organization is collecting data, if personal or sensitive information is in the data flows, and highlight possible information usage risks.

Here are some do’s and don’ts when participating in a data mapping exercise and general privacy awareness.

Data Mapping Do’s

1 – Identify a privacy champion within your organization.

When setting up a data privacy program, organizations should identify a ranking individual within to “champion” data privacy and protection and drive the organization internally to meet its privacy goals and avoid the costs of non-compliance. This person is often someone in an organizational leadership role.

When implementing a new privacy program it is not uncommon for established organizations to experience friction and employee pushback, as the program can represent a paradigm shift regarding how personal data is treated. The privacy champion’s role is to emphasize the importance of the program and facilitate organizational buy in.  Usually, one of the privacy champion’s first tasks is facilitating the data mapping exercise and emphasizing the importance for stakeholders to effectively participate.

2 – Use the right data discovery tool for your data mapping exercise.

Many tools exist to discover data, including some from the ediscovery space. However, just because a tool can discover data does not mean it is proper to use it to set up a privacy program.

Tools have many means of operating and features; some are cloud-based software as a service (SaaS), others use application programming interfaces (APIs) held locally on a server. Organizations should evaluate the data discovery tool and ask what is best for them. Below are a few questions to consider asking when choosing a data discovery vendor:

• How easy is it to run the tool against my data?
• How secure is the information going to be?
• What will be the end result or deliverable?
• Are there actionable items that my organization can use?
• Is it practical to send a backup of all of my data?
• Does the discovery tool handle customized databases?

A primary goal when selecting a prospective software and software vendor is to assure a comfortable organizational fit and easy working relationship. Asking informed questions will allow your organization to be flexible in choosing a data discovery tool.

3 – Ask the right questions to the right people.

A pitfall of any data mapping exercise is not asking the right questions to the right individuals within the organization. Start by identifying the individuals that know the organization’s data and how it is processed. Every organization is different regarding who has the proper information, and identifying the proper individuals can drag on the schedule.  However, identifying the right individuals is necessary to deliver the most accurate data map and only has to be done once.

Inaccurate or incomplete information obtained during data mapping exercise may miss key indicators of vulnerabilities and ultimately leave the organization with unmitigated privacy or security risks. Without the proper individual answering the questions, the organization may be vulnerable to exposing personal and sensitive information when a data incident occurs and subject to unexpected compliance costs.

4 – Keep a close eye on data privacy regulations and changes.

Data privacy laws and regulations are ever-changing. In the upcoming year, Colorado and Virginia both are implementing new privacy regulations and a federal privacy bill is closer than ever to becoming law. These laws and regulations likely or likely will fundamentally change how a company views held personal data. Performing a data mapping exercise helps stay ahead of these regulations, as proper data governance permits organizational flexibility with evolving regulations.

Along with the shift in privacy regulations, industry best practices also change. Keeping an eye on the changing environment will lead an organization to a more efficient and adequate privacy program. In addition, privacy is emphasized and becoming more of a consumer right. With that, it’s vital for organizations to understand their data on a regular basis.

5 – Update your data map at least once a year.

Performing a data mapping exercise takes a snapshot in time of an organization’s data. As organizations change and evolve, so must their privacy stance.  Performing a data mapping exercise once a year will assure the organization’s privacy program is being updated to assure continued compliance and safeguards are put in place to protect personal and sensitive information.

In addition to performing an annual data map, an organization should conduct a data mapping exercise when data processing is changed or updated, a new collection point is added, or a new service/product is offered. It’s also best practice to keep on top of your data movements and to hold the organization accountable for collecting the information, as some regulations require it.

Data Mapping Don’ts

1 – Don’t forget legacy documents.

Organizations often forget that they have old documents that contain personal and sensitive information. These documents are commonly found on old backup hard drives or tapes, or on an old computer that was not properly discarded.

Organizations should strive to inventory old hard drives and protect personal data. A common practice is to have the organization’s Information Technology group keep records of all discarded hard drives and those kept for preservation purposes. Any data holders, such as hard drives, that must be kept for preservation purposes and not destroyed must be included in the data mapping exercise.

2 – Don’t ignore privacy risks.

A proper data map will show the privacy risks of the organization, as the point of the exercise is to identify these risks so they can be addressed. Once a data mapping exercise is complete, follow up with specific questions about each risk exposure to mitigate and execute the mitigation action. Some common privacy risks to follow up on include unsecured collection points of data, multiple movements of the same data, or unnecessary collection of personal or sensitive information.

Once identified, the organization should assess the identified privacy risks in regard to how and why the data is being processed. A primary motivator of privacy law and regulatory updates by authorities is to make organizations holding personal and sensitive data accountable for doing so vis-à-vis the data owner or data subject, ensuring there is no misuse or unnecessary exposure. Assure your organization is following up on known privacy risks and avoid the ire of the local privacy regulator when an incident occurs.

3 – Don’t miss a collection point.

Organizations collect data in all sorts of different ways. One way could be a web form. Another could be from on-premises server. However data is collected, it all must be considered in a data mapping exercise.

Here are some other collection points to consider:

• Email-to-email
• Cloud data storage in the cloud such as SharePoint; i.e., not just on the local network
• Database management software, such as iManage
• Excel spreadsheets
• Excel spreadsheets converted to PDFs
• Scanned hand-written applications and storage
• Shared folders

4 – Don’t overly complicate your data map.

While a data map exercise should be thorough, an organization should not overly complicate its data map. Keeping a simple form for visual purposes and then addressing each point in detail is the most efficient method. Be wary of busy visual data maps, as such maps can overburden the audience and devolve into visual noise.

A primary point of identifying personal and sensitive information is to assess the risk of collecting and storing that information, as data processing tends to start with the former and end with the latter. With a complicated data map, the audience may get lost in what is happening to the data instead of addressing the risk in the most efficient manner, i.e., addressing it at collection or retention. Keeping a visual data map simple and informative will aid your organization to understand the possible risks at hand and mitigate them effectively.