Data mapping: building a strong foundation for cybersecurity and data privacy

Now more than ever, data is the lifeblood of any modern organization. At the most basic level, all organizations must collect, store, use and process data to provide employment to its people and to provide products and services to its customers. While data is a broad term, for the sake of this article let’s define data as information that has value and let’s consider personal data as any information (regardless of sensitivity) that allows us to identify an individual either by itself or when combined with other data.  

Whether your organization is trying to comply with the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), General Data Protection Regulation (GDPR), California Consumer Protection Act (CCPA), or some other four- or five-letter data privacy regulation or trying to align with a cybersecurity or data privacy framework, one thing rings true: you must know your data. What do we mean by "know your data?" Quite simply, although there is nothing simple about it, organizations need to understand what data you process and be able to answer the following questions: 

• What data do we have?  (e.g., customer data, applicant data, or employee data) 
• Where did it come from? (e.g., directly from our employees, from a vendor, or from a partner) 
• Who does it belong to? (e.g., the employee, the customer, or a potential customer who might be interested in our products or services) 
• Why do we have it? (e.g., to provide employment, to fulfill a contractual obligation, to inform interested parties, or for government reporting) 
• How do we use it? (e.g., to fulfill a transaction, to provide benefits, or for targeted advertising) 
• Where is it stored? (e.g., in our data center and associated applications, with a service provider, on employee laptops, or in a filing cabinet) 
• Who do we share it with? (e.g., our service providers, affiliates, local/state/federal governments, or vendors) 
• How is it protected? (e.g., it is encrypted, is access restricted, or are other controls are in place)  
• When will it be deleted or anonymized? (e.g., in 10 years, when the transaction has concluded, or when it has reached the end of its useful life)  
• How sensitive is it to the individual? (e.g., sensitive - exposure would be highly likely to have a negative impact on the individual’s rights and freedoms)