Now more than ever, data is the lifeblood of any modern organization. At the most basic level, all organizations must collect, store, use and process data to provide employment to its people and to provide products and services to its customers. While data is a broad term, for the sake of this article let’s define data as information that has value and let’s consider personal data as any information (regardless of sensitivity) that allows us to identify an individual either by itself or when combined with other data.
Whether your organization is trying to comply with the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), General Data Protection Regulation (GDPR), California Consumer Protection Act (CCPA), or some other four- or five-letter data privacy regulation or trying to align with a cybersecurity or data privacy framework, one thing rings true: you must know your data. What do we mean by "know your data?" Quite simply, although there is nothing simple about it, organizations need to understand what data you process and be able to answer the following questions:
While it’s clear that answering these questions will give an organization better insight into its data and data process activities, it may be difficult to see how these questions cannot only be answered but formally documented and maintained. This is where a data map comes in. In fact, most experts agree that data mapping is the single most important step to ensure compliance with any data privacy regulation. In other words, you have to know your data!
In some ways, creating a data map is as it sounds. It starts with creating or accepting a template. With that said, a data map can take on many forms and, while the term "data map" may conjure visions of a network diagram or some other complicated graphical representation of the organization’s systems, capturing the answers to the questions above in a spreadsheet or tabular format will often be most effective and easiest to maintain. It should be noted that while network diagrams and data flow diagrams have their place and can be extremely important to an organization, they don't take the place of a data map; however, they can be excellent resources when creating and maintaining a data map.
Data mapping is a foundational component of data privacy (and cybersecurity) and a vital step in maintaining compliance with any data privacy regulation. That said, the GDPR is the only regulation, to date, that requires a data map (referred to as Records of Processing Documentation, or RoPA) be completed and made available to regulators upon request. Sadly, unless otherwise compelled to do so by the GDPR, most organizations skip over the data mapping step in their attempt to be compliant with HIPAA or GLBA, for instance, as it is not a "requirement" and, in doing so, struggle to gain a complete understanding of the data in their possession.
As we continue to see an increase in both regulations and the amount of data organizations, process data mapping will become more important and organizations should consider the benefits of looking at all the data they process (taking a holistic approach) rather than simply creating a mapping for each regulated data set.
Organizations may find that maintaining 5-10 data maps in different formats, completed and managed by different teams, could be near-impossible to maintain compared to creating and maintaining one comprehensive map, but also this strategy could leave the organization unprepared for the next four-letter data privacy regulation that is lurking around the corner.
You can find more information on data mapping and free templates (based upon the requirements of the GDPR) on the UK's Information Commissioner's Office website.
To learn more about how data mapping can help your organization comply with data privacy regulations, align with cybersecurity frameworks, and prepare your organization for compliance efforts, connect with us.