Platform
- The Osano Platform Overview
  
  Get an overview of the simple, all-in-one data privacy platform
- Features & Integrations
  
  Key Features & Integrations
Solutions
- By Regulation
- CPRA
  
  Discover how Osano supports CPRA compliance
- CCPA
  
  Learn about the CCPA and how Osano can help
- GDPR
  
  Achieve compliance with one of the world’s most comprehensive data privacy laws
- By Organization Type
- Start-Up
  
  Don’t let data privacy compliance get in the way of growth
- Mid-Sized
  
  Preserve your competitive edge
- Enterprise
  
  Manage data privacy at scale
- By Use Case
- Consent Management
  
  Manage consent without the complexity
- DSAR Automation
  
  Never miss a DSAR deadline again
- Privacy Program Management
  
  Build and grow an end-to-end privacy program
- Vendor Risk Management
  
  Regain insight and control over your customers’ data
Resources
- Resources
  
  Key resources on all things data privacy
- Articles
  
  Expert insights on all things privacy
- Resource Center
  
  Key resources to further your data privacy education
- Customer Stories
  
  Meet some of the 5,000+ leaders using Osano to transform their privacy programs
- U.S. Data Privacy Laws
  
  A guide to data privacy in the U.S.
- Product Updates
  
  What's the latest from Osano?
- Become a Privacy Insider
  
  Data privacy is complex but you're not alone
- The Newsletter
  
  Join our weekly newsletter with over 35,000 subscribers
- The Podcast
  
  Global experts share insights and compelling personal stories about the critical importance of data privacy
- The Book
  
  Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
- Events
  
  Upcoming webinars and in-person events designed for privacy professionals
Latest Blog post

Data Privacy and Security: What’s the Difference?

Information has always been a form of currency in society—from buying...
Read Now
Company
- About Us
  
  The Osano story
- Careers
  
  Become an Osanian and help us build the future of privacy!
- Contact
  
  We’re eager to hear from you
- Our Pledge
  
  No fines, no penalties
- Data Licensing
  
  Add Osano data privacy ratings and recommendations to your application
- Osano Swag Store
  
  Increase Trust. Stay Compliant. Get Cool Swag.
- Press & Media
  
  Inquiries and Osano in the news
- Partners & Resellers
  
  Interested in partnering with us?
Pricing
Sign In Book a Demo

Data Mapping

CCPA/CPRA Data Mapping: The Why, What, and How

Matt Davis, CIPM (IAPP)

Updated: September 20, 2024

Published: September 25, 2023

Sign up for our newsletter

How often does the word “right” show up in the text of the CCPA/CPRA?

Over 100 times.

Out of all those references to rights, it doesn’t seem that the rights of businesses are often discussed. In the CPRA, consumers get all the rights, while the word businesses are most associated with is “responsibility.”

Businesses that are subject to the CPRA have responsibilities to their consumers—responsibilities to manage the proliferation of personal data across their organization, responsibilities to respond to consumer requests, responsibilities to protect consumer data, and more.

The only way to attend to those responsibilities is to know where you collect personal data, where you process it, where it’s sent, whether or not it’s adequately protected, and whether or not it's being treated compliantly.

In essence, if your business is subject to the CPRA, then it is imperative that you map your data and data processing activities. We’ll explain why and how in this article.

CCPA/CPRA Data Mapping Requirements

Like most data privacy regulations, the CPRA does not directly require you to map your organization’s data. However, if you knowingly refuse to map where, how, and why your organization processes personal information, then any violations that take place associated with unmapped (and therefore unknown) personal information under your control could be construed as negligence.

If you don’t map your organization’s personal data processing activities, how will you:

Respond to consumers’ subject rights request for a summary of their personal information under your control?
Delete a consumer’s personal information upon request?
Know which service providers, third parties, and contractors are handling personal information, and therefore which contracts require data processing addenda?
Ensure that you’re processing the minimum amount of data necessary—and are therefore taking on the minimum amount of risk?

Moreover, the CPRA not only requires you to manage the personal information you collect, but it also creates the concept of sensitive personal information.

Sensitive personal information includes data with the potential to cause harm to the associated consumer if it should be left unprotected, such as their medical information, social security number, sexual identity, and more. In order to apply the higher level of protection required by the CPRA to this information, you’ll need to engage in sensitive data discovery to identify where it lives and flows in your organization.

The “How-To” of CPRA Data Mapping

How do you actually approach mapping your organization’s data in the context of the CPRA? There are a few different strategies, each of which will suit different kinds of organizations.

Manual Mapping With Spreadsheets

For very small organizations or organizations who know they have only a handful of essential systems to map, the manual approach can work.

Under this approach, you’ll develop spreadsheets that log all relevant compliance information associated with a given store of personal information, such as who owns or controls the systems, where the data is sourced from, where it is sent to, and so on.

Once your spreadsheet library is complete, you can simply contact the system owner to carry out any requisite tasks, such as fulfilling DSARs and auditing contracts for data processing addenda.

It doesn’t take much to see the flaws in this approach, however; if you have any more than a handful of systems that process personal data, then the task of creating and maintaining a spreadsheet-based data map quickly becomes untenable. In fact, the average company uses 130 different SaaS applications—many, if not most, of those systems will be handling consumer data in some fashion.

That’s treating each system as equal, too. In reality, some systems will contain more or less personal information, sensitive personal information, subsystems, connected vendors, and so on.

Homegrown, Data Science-Driven Approaches

Some organizations may have data science resources in place, whether that’s a team of experts, a homegrown solution, or an off-the-shelf business intelligence tool. These businesses are in a better position to map their organization’s data for CPRA compliance than those relying on the manual approach—but there are still issues to overcome.

For one, multipurpose data science resources will be in high demand. After all, data science falls under the broader umbrella of business intelligence—compliance isn’t typically thought of as a business intelligence activity. Although a data science asset will technically be faster at CPRA data mapping than a manual approach, you may have to wait a long time before it’s “your turn.”

Then, there is also the likelihood that a homegrown approach to CPRA data mapping will still require a great deal of manual effort. Data science experts aren’t data privacy and compliance experts after all; they’re data science experts. A privacy professional will need to review the output and fill in the metadata necessary to make your data map actionable from a compliance perspective.

Dedicated Privacy Approaches

Given how essential data mapping is to an effective privacy program, there are data mapping solutions designed specifically for data privacy and compliance professionals. Osano Data Mapping is one such example.

Rather than rely on manual discovery or require data science expertise, Osano Data Mapping quickly uncovers systems that contain personal information by integrating with your Single Sign On (SSO) provider.

Based on criteria like the number and types of data fields, vendor flows, and identities managed, Osano Data Mapping assigns systems a risk score that enables privacy professionals to prioritize by risk and effort. Any systems that live outside of your SSO can be easily mapped using an automated workflow that keeps external stakeholders alert to any outstanding tasks.

The benefit of using a privacy-focused solution like Osano for CPRA data mapping is twofold:

It’s far easier and faster to use for privacy purposes (rather than general business intelligence purposes).
It surfaces mapped data for use in downstream compliance activities. The rest of the Osano Platform can use discovered systems and data in its DSAR, privacy assessment, RoPA, and other support capabilities, making the rest of a privacy professional’s job easier, too.

If you’re looking for a privacy-focused approach to CPRA data mapping, consider scheduling a demo of Osano today.

Schedule a demo of Osano today

DSAR Process Checklist

Need to establish a scalable, sustainable DSAR process? This checklist can guide your actions, helping you fulfill requests effectively so you can stay compliant and attend to your other business priorities.

Download Now

Matt Davis, CIPM (IAPP)

Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.

Blog

Check out some of our latest articles

Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.

View All Blog Posts View All Resources

Simplify Data Privacy Compliance

With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.

Book a Demo

The Osano Platform Overview

Cookie Consent

Subject Rights Management

Assessments

Unified Consent & Preference Hub

Data Mapping

Vendor Privacy Risk Management

Features & Integrations

Privacy Templates

GDPR Representative

Consult Privacy Team

Regulatory Guidance

Integrations

CPRA

CCPA

GDPR

Start-Up

Mid-Sized

Enterprise

Consent Management

DSAR Automation

Privacy Program Management

Vendor Risk Management

Articles

Resource Center

Customer Stories

U.S. Data Privacy Laws

Product Updates

The Newsletter

The Podcast

The Book

Events

Data Privacy and Security: What’s the Difference?

About Us

Careers

Contact

Our Pledge

Data Licensing

Osano Swag Store

Press & Media

Partners & Resellers

Data Mapping

CCPA/CPRA Data Mapping: The Why, What, and How

Matt Davis, CIPM (IAPP)

In this article

Sign up for our newsletter

Share this article

CCPA/CPRA Data Mapping Requirements

The “How-To” of CPRA Data Mapping

Manual Mapping With Spreadsheets

Homegrown, Data Science-Driven Approaches

Dedicated Privacy Approaches

DSAR Process Checklist

Matt Davis, CIPM (IAPP)

Matt Davis, CIPM (IAPP)

Share this article

Blog

Check out some of our latest articles

Essentials

Data Privacy and Security: What’s the Difference?

Privacy Program Management

5 Ways Privacy Pros Can Foster Collaboration Across the Business

News & Events

5 Takeaways from 2024’s Industry Events: A Privacy Pro’s Perspective

Simplify Data Privacy Compliance