Most people find data privacy compliance to be complicated enough. So, when they encounter the concept of data mapping—something that isn’t an explicit requirement in any data privacy law—many find themselves scratching their heads.
But then they dig a little deeper and come to understand that data mapping serves as the foundation of your privacy program and facilitates downstream compliance activities. Questions still abound, however, and Osano team members often answer questions on similar topics and themes. In this blog, we dive into a few of those common queries.
Note that this blog assumes you have some familiarity with data mapping in general. If you’re curious about what data mapping is fundamentally, check out Data Mapping 101: A How-to Guide.
Once people understand the benefits of data mapping and especially data mapping for data privacy compliance, the next question they ask tends to center on how data mapping solutions work.
Personal data is difficult to keep a hold of. Even if you have excellent data governance practices and a mature privacy program, personal data is still going to be collected and processed in some wayward data store that may not be integrated with any other systems. Not to mention that before your data governance practices can mature, you need to discover where data is processed throughout your organization—i.e., by mapping it.
Personal information can live in on-prem systems, in the cloud, in non-integrated or air-gapped systems, or even in paper forms. How do automated solutions gather information from all of these sources?
The first thing to know is that 100% automation is not feasible. No matter what, there will be some manual effort involved in data mapping (at the very least for verification purposes).
However, automated data mapping solutions should automate as much as is prudent and facilitate those manual efforts. Often, these solutions will integrate with systems that are themselves integrated with many other sources, such as your single sign-on (SSO) provider or customer data platform (CDP). Through these systems, your data mapping solution can discover, analyze, tag, and map the systems that store and process personal data.
But there will still be unintegrated, disconnected data stores. They’re one of the reasons why you’ll want a data privacy-focused mapping solution. Let’s use Osano as an example.
If you use the Osano Platform for data mapping, you’ll also have access to its assessments tool. This tool guides you through the process of making different privacy assessments, including the assessment process for analyzing and categorizing data stores for privacy compliance. Once complete, Osano lets you incorporate assessment findings into your data map, making it easy to account for non-integrated, non-automatable data stores in your organization’s privacy ecosystem.
Yes, but it’s not recommended. Manual data mapping would involve developing an assessment questionnaire, sending that around to your organization’s team leads and vendors, following up with them to get the requisite information, and plugging all that into a spreadsheet. You might then choose to use a data visualization tool to get a real, visual data map to review.
Obviously, this will take a long time to complete. But you could cut corners—you could, say, put this responsibility on your operations team since they will likely have the best sense of which systems collect, process, and transfer personal information in your organization. That approach would cut down on the bottlenecks created by interviewing multiple stakeholders, but it almost certainly means you will miss some data store or another.
It’s really difficult to stop individual employees and teams from using systems and tools without first consulting your procurement, operations, or privacy teams. And odds are, if your organization is inclined to take the manual approach to mapping data privacy, it may not have a full understanding of what activities and data usages are subject to data privacy laws, making it even more difficult to get a full picture of which data stores represent risk.
Often, we field requests for manual data mapping templates. It’d be nice if there was a pre-built Excel spreadsheet out there you could just plug information into. Unfortunately, they don’t really exist. The issue isn’t so much about having the right fields to account for all your information—it’s about having the knowledge and resources needed to execute the data mapping process. Thus, manual data mapping can be a good one-time exercise to get a sense of the knowledge and resources needed, but almost every organization subject to a data privacy law will reduce their workload and risk by choosing an automated solution.
We field a lot of questions around what the best approach is for, say, a small business as opposed to a large enterprise. It’s true that these organizations have different needs and constraints, so it’s a great factor to keep in mind.
Smaller organizations are the most likely to be able to get away with manual data mapping, but they also have the most risk. For one, noncompliance fines could be a matter of life or death for a smaller organization. Furthermore, an early data privacy fine could hurt your organization’s brand at a time when you need to be putting your best foot forward. Lastly, smaller organizations have fewer available team members—thus, having an individual spend a significant chunk of their time updating a manual data map takes away from revenue-generating activities they could focus on instead.
But small organizations do have fewer systems in place. It’s possible for them to map their data manually, and doing so can even be a positive experience that clarifies requirements. In the long-term, though, the higher upfront cost of an automated solution will likely earn a return and grow with the organization.
Medium-sized organizations face many of the same issues. Noncompliance can still be an existential threat, and team members still have limited bandwidth to support compliance. Only now, there are far more systems to map—as a result, medium-sized organizations are almost certainly better off with an automated solution that can cover the scope of their organization.
Larger organizations will already have something like a data mapping solution in place. Healthy data governance and security is a must-have at this scale. However, their solution may not be privacy-focused, which creates a bottleneck as both privacy and non-privacy teams vie for access to data science resources. Furthermore, these data science resources will be poorly optimized for the work of managing data privacy and compliance.
Larger organizations that choose to enable their privacy team with a privacy-focused approach to data mapping should consider mapping their data on the departmental level rather than organization-wide. This does create the opportunity for gaps, but an organization-wide data map may be too dense to be useful; in either case, there are risks.
Data maps should be refreshed on both a regular basis and when triggered by certain events. Your ability to refresh your data map will depend on the specific approach you choose to take. Some automatic data mapping solutions may keep your data map perpetually updated 90% of the time—the exception being when your organization adds a new, non-discoverable data store or flow.
Other solutions will be more of a process, in which case updating your data map on a quarterly or biannual basis could be a good cadence.
Naturally, if you’ve taken a manual approach, you’ll struggle to update your data map at all on any sort of regular schedule, which is why we haven’t recommended this for the majority of organizations.
However, these regular refreshes are simply meant to catch changes that have slipped through the cracks and ensure compliance risk remains minimal. You’ll also want to update your data map when add any new systems that process, store, and/or collect personal information or if an existing system undergoes changes that impact its data-handling procedures.
For one, a privacy-focused data mapping solution would be owned by, or at least readily accessible to, the privacy team. More generalist data mapping tools will belong to the larger organization, and they’ll typically be put to use for business intelligence purposes. Thus, privacy-focused data mapping tools can be put to use on the repeated and as-needed cadence we described above.
But perhaps more importantly, privacy-focused mapping tools make the rest of data privacy compliance easier. Often, these solutions will have capabilities that help you complete RoPAs, fulfill DSARs, identify sensitive personal information, and more.
We often field questions about how to actually complete an impact assessment or where to find the information needed for a DSAR. Individuals asking these questions are sometimes undertaking a compliance task for the first time and need guidance. Or they’ve done these tasks several times, maybe many times, and are frustrated with how slow the process is.
The answer to these issues is data mapping.
Assessments like DPIAs, PIAs, and RoPAs all require you to identify data flows, the involvement of sensitive data, whether data will be transferred across borders, existing security measures, where the data will be stored, and so on. Not only do data maps make it faster to source this information, they also ensure that information is accurate. Given the amount of shadow IT and unknown data flows that the typical organization has almost guarantees that a privacy assessment will be inaccurate without a robust data map in place. (In fact, one report suggests that the average organization has 975 unknown cloud services).
DSARs have a clear benefit from a well-designed data map. If you don’t know where a given consumer's data exists, you can very well comply with their request to delete or summarize their personal information. And even if you can, you’ll want to be able to complete them quickly and at scale within the 30- or 45-day period mandated by law.
Data privacy regulations are meant to encourage businesses to protect consumer data privacy rights. There are a multitude of ways this overarching requirement is expressed, such as through DSARs and assessment requirements. If you don’t know everything there is to know about the consumer data you have, your ability to meet that overarching requirement will be hamstrung.
Naturally, the question we receive the most is about Osano’s data mapping solution. You can find the answers to most questions on our Data Mapping product page. Or if you’d rather pose your questions directly to an expert, consider booking a demo.
(After all, a blog post can’t give you all the answers).