Articles

Data Mapping: Avoid the Spreadsheet Trap!

Written by Matt Davis, CIPM (IAPP) | September 6, 2024

In our recent webinar, It’s Time to Think About Data Mapping Differently, a poll revealed some interesting information: Nearly 50 percent of respondents house their data map in a spreadsheet. (Roughly 15 percent say they don’t have a data map at all, but that’s a topic for a different blog.)  

Based on our experience, this isn’t entirely unexpected. It’s common for privacy teams to use a spreadsheet to map where their organization collects, processes, and transfers consumers’ personal data. Many organizations seeking to improve their data privacy compliance posture will turn to the ubiquitous spreadsheet for help or follow the lead of other teams who adopted spreadsheets as data maps.  

Thinking of doing the same? Don’t go down that path.  

For organizations that are serious about data privacy management, a spreadsheet cannot compare to a dedicated data map. Like a pitcher plant, the spreadsheet lures you in with its familiar format and low cost. Before you know it, you’re prey to a labor-intensive asset that doesn’t help you achieve compliance (and in some cases, actually becomes a barrier). The allure of the spreadsheet is hard to resist, but for the sake of your company and your own sanity, please try.   

As with all traps, foreknowledge is your best defense against falling victim to the spreadsheet trap in the first place. Let’s break down how and why organizations fall into the spreadsheet trap and what alternative approaches they should seek when mapping their data. 

What Is Data Mapping? 

First, let’s review the basics of data mapping. 

Simply put, data mapping is the process of creating a detailed map that visualizes how personal information is stored, processed, and transferred across, into, and out of your organization. Most data privacy laws don’t have explicit requirements around data maps, but without one, achieving and maintaining compliance is a lot harder. Data maps are essential to meeting requirements like subject rights requests, data protection, vendor management, and more in a thorough and timely manner. 

As the name suggests, data maps are...maps. They literally visualize how data flows through your organization. Your data inventory, which contains the tags and metadata you need to understand your organization’s systems and data stores, is the structure behind that visualization. 

So Where Does the Spreadsheet Come In? 

A spreadsheet is not a map—but there’s a logical reason why many privacy teams turn to spreadsheets to map data.  

Though data privacy regulations have proliferated in the US and around the world and privacy management is becoming a bigger priority for businesses, many organizations still take a reactive approach to data privacy or view it as an afterthought.  

But then a similar organization gets hit with a fine for noncompliance. Or a regulator announces an investigative sweep that affects you. Or someone offhandedly mentions GDPR compliance in a meeting. Then data privacy becomes a priority, and you need to become compliant: Effective immediately.  

Panic sets in. And the spreadsheet is right there. 

It’s a known quantity that can help you fill in the gaps quickly. With it, you can track subject rights requests, fill out assessments, create your record of processing activities (RoPAs), and, of course, list out the systems where you store data and what kind of data you store. For a while, it works. 

The Advantages of a Spreadsheet 

Nothing is all bad, and that includes spreadsheet-based data maps. There are some advantages, including:

1. No Barrier to Entry 

Most people have access to spreadsheets, they’re straightforward to edit and modify, and the odds are good that somebody at your organization is a spreadsheet wizard.

2. Affordable (at First)

Spreadsheets come with most workplace application suites, whether it’s Google, Microsoft, or another player. Nothing’s cheaper than using a tool you already have. But there are hidden costs, which we will talk about in a moment. 

3. It Helps You Discover Requirements

If you don’t know the first thing about data mapping, you have to start somewhere. It can be helpful to create a spreadsheet and see where it meets your needs and where it doesn’t. Unsurprisingly, you’ll find there are a lot of things you wish your spreadsheet could tell you that it simply cannot. The exercise of trying to make it work can help you uncover what those wish list items are.  

The Disadvantages of a Spreadsheet 

The problems start when data mapping gets complicated—which it nearly always does sooner than not. Two cons that immediately become obvious when using a spreadsheet in general: Spreadsheets have limited automation capabilities, and they are highly prone to human error. But there are other disadvantages that apply to data mapping specifically.  

1. Again, a Spreadsheet Is Not a Map

Maps are visual. They provide cues and at-a-glance insights that you can’t glean from rows and columns. With a true data map, you can see the relationship between systems, the flow of data throughout your ecosystem, where you have redundancies, and more. A spreadsheet can do a lot of things, but not that.  

A screenshot of an Osano-powered data map

2. Spreadsheets Can’t Scale

If you use a spreadsheet for data mapping, it will become unwieldy almost immediately. Most people underestimate the amount of data they need to account for. As a spreadsheet sprawls to accommodate more and more, it eventually becomes impossible to find necessary information. Not to mention, data and organizational growth is fast and dynamic. Updating your data map as you add or remove data, systems, and processing activities is itself a full-time job.  

3. Spreadsheets Live in Silos

Somebody’s going to own your data map. But effective data privacy compliance requires collaboration across the organization. Your IT team may know the most about the overall technology mix at play in your organization, but each team will control individual systems that may or may not be processing personal data. It needs to be easy for these other stakeholders to contribute to your data map. The first challenge is that spreadsheets are terrible for collaboration.  

But more critically, if your data map is in a spreadsheet, then it may be siloed in a drive that’s inaccessible to other stakeholders. And if that person leaves? You need to transition the data map to a new individual or worse, risk losing that information completely.

4. Spreadsheets Put the Burden of Compliance on You

Do you have all of the know-how associated with data privacy regulations at your fingertips? What about when it all changes, as it does constantly?  

It’s a lot to ask for one person to know everything about the regulations that your organization is subject to, keep track of changes to those regulations, and quickly absorb the requirements of new regulations that affect you. It’s even more to ask that you track all that information in an unwieldy data map spreadsheet. That burden inevitably sets the privacy team up for failure and increases the risk of noncompliance. Don’t do that to yourself or your organization. 

So, What Do You Do? 

If spreadsheets aren’t the answer, what is? 

A true data mapping solution addresses all of the shortcomings of the spreadsheet: 

  • It provides visualization for quick insights into data relationships. 
  • It scales with your data and organization without increasing the workload. 
  • It enables collaboration across teams and departments. 
  • It’s designed to facilitate compliance with data privacy regulations. 

If you’re looking for a data mapping solution, there are a few things to keep in mind: 

You Want a Data Map Designed for Privacy Management 

You need a data map designed specifically designed for data privacy requirements. There are IT-driven data mapping solutions, but they focus on system-level mapping rather than the data those systems contain.  

Furthermore, IT-driven data mapping solutions tend to be general-purpose, business-intelligence (BI) tools. Often, these solutions are managed by a data scientist or BI specialist—which means you’ll have to compete with other stakeholders for their time and expertise. While these IT-driven data mapping solutions are solving other business problems, data privacy compliance will have to wait in line. 

Make Sure Your Solution Minimizes Work 

Think about maintenance. For example, a solution that requires you to maintain a 1:1 solution for every data source in your organization will become extremely labor-intensive, especially if data lives in dozens or even hundreds of different systems (which is common, even in smaller organizations). Look for a system that lets you use “umbrella sources” to streamline data discovery and integration maintenance. 

From Spreadsheet to Data Map: It’s Easier Than You Think 

If your data map currently lives in a spreadsheet, you’re not irredeemably trapped—not by technology or the sunk-cost fallacy. Not only can you transition your spreadsheet data to a data map, but it’s also easier than you think. Many privacy pros have migrated from spreadsheets into more robust data mapping solutions without sacrificing the work they’ve already done—find out more in our migration guide. 

Or, to see for yourself how Osano does it, schedule a demo of Osano Data Mapping. We’ll be happy to walk through the ins and outs of our data mapping solution and how it can help you manage your organization’s data privacy compliance.