July 14, 2020
Data Mapping Best Practices
Maintaining the privacy of your customers’ and employees’ personal information is more important than ever as the frequency and sophistication of cyberattacks continue to escalate. Keeping this information private protects your company’s valuable reputation and helps you maintain compliance with data privacy standards such as CCPA and GDPR.
To ensure data privacy, you must first understand your data in detail. The data mapping process enables an organization to understand what data is being used, where it comes from, how it flows through the organization, and who it is shared with. Data maps also provide documentation of data usage and flows that can be helpful for audit purposes. This blog presents data mapping best practices and recommendations to help you navigate this valuable and potentially complex process and understand its component parts.
Data mapping often incorporates tools that use data visualization capabilities to graphically depict the flow of data through an organization. While more basic and inexpensive tools such as Excel can be used, we recommend using tools that leverage data visualization features to help your team quickly and easily understand data flows. This is especially helpful for more complex systems and data flows, which can be difficult to understand without data visualization.
Manual vs. Technology-Assisted Data Collection
The data needed for data mapping can be collected using manual techniques such as interviews and questionnaires or via technology-assisted methods that automate some or all of the data collection work.
Manual techniques may be appropriate when systems and data flows are relatively simple, or when there is little data mapping information available from electronic sources. These techniques can be helpful for gathering information from your team members that have in-depth knowledge of your data and how it is used. This often includes:
- Database Administrators (DBAs)
- Data Custodians
- Data Analysts
- Systems Architects
- Product and Service Managers
- Marketing team members
- Power users or administrators of systems such as Human Resources or Legal that handle personal information
Technology-assisted tools are helpful for complex systems and data flows for which data is available from electronic sources. These tools use scanning or data extract/query techniques to identify and collect data mapping information. Data sources may include:
- Metadata repositories
- Data dictionaries
- Data inventories
- Application databases and files
- Technical specifications
This information may be collected from systems and applications that reside on the organization’s in-house network, in the cloud, or on laptops, phones, tablets, or IoT devices.
In some cases, it may be appropriate to use a combination of manual and technology-assisted techniques to get a complete data map. In these cases, it’s important to identify and resolve any discrepancies identified in data collected by the different methods.
Elements of Data Mapping
Data mapping should not be confused with the development of a data inventory. A data map contains information typically included in a data inventory, but also includes much more information on how data flows through an organization. In this section, we’ll explore the different types of information contained in a data map.
- Data Elements: Information about the data elements that flow into or out of an organization. For ensuring data privacy, it’s especially important to include all personal information (e.g., name, address, phone number, id, password, credit card data, biometric data, geolocation data). Characteristics such as length and alphanumeric content are identified for each data element. Data elements may include information on customers, employees, vendors, or website visitors.
- Data Source: The source of each data element. Sources may include data received via phone, email, social media, or paper/pdf forms; collected via websites or online forms; or received via electronic file transfer or real-time messaging interfaces from third party companies.
- Data Storage: The storage location and format of each data element. For data elements stored in electronic form, the storage location may be on an in-house, offsite backup, cloud, or vendor server; or on laptops, phones, tablets, or IoT devices. The location of data elements in paper records is also identified (e.g., onsite filing cabinet, offsite archive, home office). Methods used to protect stored data should also be identified (e.g., encryption, locked filing cabinets).
- Data Usage: The way in which each data element is used and where it is used. Data may be used by in-house staff, customers, vendors, or other third parties. It may be viewed by external parties via the internet, or exported to third parties for their use. The geographic location of the users accessing the data and the location in which the data is stored is documented. This geographic data is important for assessing compliance with data privacy laws such as CCPA or GDPR.
- Data Retention: Identifies how long each data element is retained before being deleted or archived. Ensuring that data is not retained longer than needed for business or regulatory purposes can improve data privacy.
Tevora’s Data Mapping Methodology
Tevora has developed and refined its four-step data mapping methodology by working with many industry-leading companies to create data maps that help to improve data privacy and ensure compliance with CCPA and GDPR laws.
Conduct preliminary analysis to gain a general understanding of how data is collected and used and how it moves through in-house and external systems and applications.
Identify manual and/or technology-assisted techniques and tools to be used for collecting data mapping information.
Use identified tools and techniques to gather data mapping information.
Review data mapping information gathered and validate that it reflects the understanding of in-house subject matter experts. Make corrections as needed.
Compare data gathered by manual vs. technology-assisted methods and resolve any discrepancies.
Conduct follow-up analysis and interviews to augment data gathering results with any additional technical or other information needed to complete data map (e.g., data inventory technical details, details on location of internal or external servers).
Implement tools to automatically classify data in use to enable enforcement of data governance policies where appropriate (e.g., create tags for metadata and databases that can be used by policy engine to enforce policies).
Develop capabilities to enforce data governance policies (e.g., Data Loss Prevention tool sends alert and blocks action when employee attempts to share personal information with an unauthorized third party).
Implement tools and capabilities to automatically update data map as new data is added, deleted, or changed; or handling of existing data changes.
Activate data governance enforcement tools to monitor activity and enforce data governance rules on an ongoing basis.
Document and summarize data mapping results and present to management and staff.
Your Trusted Partner
If you’d like to learn more about how Tevora can be a trusted partner to help you navigate the intricacies of data mapping, just give us a call at (833) 292-1609 or email us at email@example.com. Take a look at our Privacy Tracker that helps you stay up to date with every privacy regulation.