Article
Data mapping: building a strong foundation for cybersecurity and data privacy
Feb 09, 2023 · Authored by Mike Vanderbilt
Now more than ever, data is the lifeblood of any modern organization. At the most basic level, all organizations must collect, store, use and process data to provide employment to its people and to provide products and services to its customers. While data is a broad term, for the sake of this article let’s define data as information that has value and let’s consider personal data as any information (regardless of sensitivity) that allows us to identify an individual either by itself or when combined with other data.
Whether your organization is trying to comply with the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), General Data Protection Regulation (GDPR), California Consumer Protection Act (CCPA), or some other four- or five-letter data privacy regulation or trying to align with a cybersecurity or data privacy framework, one thing rings true: you must know your data. What do we mean by "know your data?" Quite simply, although there is nothing simple about it, organizations need to understand what data you process and be able to answer the following questions:
- What data do we have? (e.g., customer data, applicant data, or employee data)
- Where did it come from? (e.g., directly from our employees, from a vendor, or from a partner)
- Who does it belong to? (e.g., the employee, the customer, or a potential customer who might be interested in our products or services)
- Why do we have it? (e.g., to provide employment, to fulfill a contractual obligation, to inform interested parties, or for government reporting)
- How do we use it? (e.g., to fulfill a transaction, to provide benefits, or for targeted advertising)
- Where is it stored? (e.g., in our data center and associated applications, with a service provider, on employee laptops, or in a filing cabinet)
- Who do we share it with? (e.g., our service providers, affiliates, local/state/federal governments, or vendors)
- How is it protected? (e.g., it is encrypted, is access restricted, or are other controls are in place)
- When will it be deleted or anonymized? (e.g., in 10 years, when the transaction has concluded, or when it has reached the end of its useful life)
- How sensitive is it to the individual? (e.g., sensitive - exposure would be highly likely to have a negative impact on the individual’s rights and freedoms)
- Is the data regulated? (e.g., is it regulated at the state level (CCPA), national level (HIPAA), or by an international regulation or law (GDPR))
While it’s clear that answering these questions will give an organization better insight into its data and data process activities, it may be difficult to see how these questions cannot only be answered but formally documented and maintained. This is where a data map comes in. In fact, most experts agree that data mapping is the single most important step to ensure compliance with any data privacy regulation. In other words, you have to know your data!
Tips for effective data mapping
In some ways, creating a data map is as it sounds. It starts with creating or accepting a template. With that said, a data map can take on many forms and, while the term "data map" may conjure visions of a network diagram or some other complicated graphical representation of the organization’s systems, capturing the answers to the questions above in a spreadsheet or tabular format will often be most effective and easiest to maintain. It should be noted that while network diagrams and data flow diagrams have their place and can be extremely important to an organization, they don't take the place of a data map; however, they can be excellent resources when creating and maintaining a data map.
Data mapping is a foundational component of data privacy (and cybersecurity) and a vital step in maintaining compliance with any data privacy regulation. That said, the GDPR is the only regulation, to date, that requires a data map (referred to as Records of Processing Documentation, or RoPA) be completed and made available to regulators upon request. Sadly, unless otherwise compelled to do so by the GDPR, most organizations skip over the data mapping step in their attempt to be compliant with HIPAA or GLBA, for instance, as it is not a "requirement" and, in doing so, struggle to gain a complete understanding of the data in their possession.
Preparing for the future
As we continue to see an increase in both regulations and the amount of data organizations, process data mapping will become more important and organizations should consider the benefits of looking at all the data they process (taking a holistic approach) rather than simply creating a mapping for each regulated data set.
Organizations may find that maintaining 5-10 data maps in different formats, completed and managed by different teams, could be near-impossible to maintain compared to creating and maintaining one comprehensive map, but also this strategy could leave the organization unprepared for the next four-letter data privacy regulation that is lurking around the corner.
So, whether you are trying to comply with the CPRA, the GLBA or another data privacy regulation, or if you’re simply trying to update your privacy policy for transparency purposes, consider starting by mapping your data and ensuring that you can answer all the questions outlined above.
You can find more information on data mapping and free templates (based upon the requirements of the GDPR) on the UK's Information Commissioner's Office website.
To learn more about how data mapping can help your organization comply with data privacy regulations, align with cybersecurity frameworks, and prepare your organization for compliance efforts, connect with us.