September 14, 2017

Strategic Data Mapping: A Three-Step Process

Managing data in today’s business environment can be complicated. Companies find themselves weighing the benefits of expansive data collection against regulatory requirements. Legislation such as GDPR, PCI DSS and others are pushing the matter of data management to the forefront compelling organizations to take a more systemic, continuous approach.

At Tevora, we don’t believe data regulations and fear of data leaks should drive business processes. We believe in using them as a mechanism to develop ongoing Data Mapping programs that merge compliance criteria and business objectives for strategic data usage.

By following this three-step process, organizations will ensure ongoing control of their data’s life cycle. Long-term, it can streamline data-driven decisions by pushing the evaluation and removal of data that is a risk to the business and unnecessary in serving its customers.

Whether operating in a highly regulated marketplace or looking to gain a strategic advantage from your data, Data Mapping can offer more than you previously thought.

1. Data Identification and Socialization

Data mapping should be a combination of technical and analytics processes to identify the usage, types and areas of data throughout an organization. Addressing this from both an analytical and technical perspective allows organizations to gain a comprehensive snapshot of what exists within the environment.

This includes:

  • Personnel Interviews to gather institutional knowledge of what data is gathered and its business use.
  • Assessment of organizational hierarchy/designs to validate all areas of data collection are accounted for.
  • Outcome of discussions should result in the development of data flow and Data Mapping documentation.
  • Initial Implementation of a tool such as: BigID, DPOrganizer, Privitar or ELK Stack based tools (i.e. Splunk).
    • Calibration of the tool will need to occur periodically to ensure that any new data types being collected are captured.
  • Summary report that can be shared with senior leadership in order to drive business decisions.

The socialization stage is a multi-departmental meeting conducted to present findings from the Data Identification activities. This meeting gives stakeholders, from all data gathering units, the opportunity to discuss what may have been missed, identify anything that may not be attributable to the overall intent of the mapping and plan next steps. These meetings can inform how to adjust the data identification format moving forward.

2. Data Minimization and Purge Process

Mapping will objectively identify what data exists throughout the organization. Some of that information may be a surprise and some expected for all the data could be appropriate for planning business objectives. Ensuring that pointed conversations occur around why the data is being retained or why it fails to be necessary is key to a healthy database and minimizing your data risk profile.

Business units where data types of varying confidentiality may reside:

  • Marketing
  • Business Development
  • Product Development/Research and Development
  • Market Research
  • Human Resources and Recruiting
  • Legal

These units are ripe for the collection of sensitive data. Stakeholders and security practitioners are well-served to investigate how all data types within these areas correlate to a strategic objective. By and large, best practice is to purge all data that does not hold value to the organization or the customers it serves. With GDPR and other international regulations calling for this management, data minimization will be critical to reducing the probability of fines.

Whether data is deemed valuable, unnecessary or end-of-cycle, the removal or purging of that data should be prioritized. Involving key stakeholders in the review process limits any barriers to completing this task.

3. Continuous Improvement of the Data Life Cycle 

As with any process, consistently checking in with colleagues and stakeholders throughout the process is crucial. Understanding how they feel about the Data Mapping process and how it affects the business will help shed light on any changes made. As new sources of data come into scope, organizations need to account for them.

Compliance is a significant driver of Data Mapping, Data Minimization and Data Purging, but that doesn’t have to be the only reason. Data propagates at an incredible pace today and will continue picking up speed in years to come.

Instituting these Data Mapping reviews regularly will allow organizations to proactively align with regulations and keep their data environment primed to truly leverage its power. If carried out right, Data Mapping may be the game changer companies are looking for.

About the Author

David Grazer is a consultant at Tevora, an Orange County-based management consulting company.