As consumer privacy continues to be a global concern, it is increasingly important to know where company data resides in order to maintain compliance. It is no longer just the European Union’s General Data Protection Regulation (GDPR) that organizations need to be mindful of when creating privacy compliance plans. Now, there are several other laws both in the U.S. and abroad that could generate additional obligations and cross-border issues. Other countries that have new privacy legislation or updates in the works include Brazil, Australia, Canada, and more. Looking stateside, California has updated the California Consumer Privacy Act (CCPA) and passed a second, stricter privacy law that becomes effective in 2023. Many other states, like New York, Nevada, and Maine have also followed suit and are starting to create their own legislation.
Knowing that new privacy obligations are coming, and more are in the pipeline, deploying comprehensive data maps should be a top concern. Data mapping helps organizations know where data resides, implement sufficient safeguards, and efficiently govern information. These are foundational components of a successful privacy plan that will aid compliance teams with information requests, investigations, and overall data management.
Overview of Data Mapping
Most organizations are aware of data mapping and might even utilize this tool to some degree within their information management processes. Mapping entails identifying, understanding, and plotting what information an organization has, how the data flows through the organization, who has access to the data, and where the information is stored. Data mapping will look different for every organization and will likely require several moving parts. A sophisticated approach to data mapping includes the following steps:
- Assemble a cross-functional team to create and maintain the data map. While many larger organizations may already have a designated compliance team, data mapping will require collaboration between several departments to ensure that the information can be governed efficiently. Some important actors in this process should include legal, the board, and IT employees.
- Define the project plan and limit the scope to target data. In some instances, it will make more sense to only focus on mapping higher risk processing activities and explore the remainder of company data later. Project plans should be comprehensive and account for all relevant steps, team member responsibilities, and timelines.
- Gather relevant information. The goal here should be to successfully identify different information categories and risk levels, which includes uncovering dark data. To determine where relevant data resides the mapping team will need to circulate questionnaires, conduct interviews, and update retention policies.
- Prepare the data map and classify accordingly. Creating data labels will shine a light on where the organization is storing sensitive information so they can deploy appropriate protection measures. Utilizing one platform that can map all relevant information makes it easier to understand what data the organization collects, who has access to it, retention measures, and the purposes for use or disclosure. Technology that offers granular reports and dashboard visuals will also streamline compliance efforts.
- Maintain and update the data map. This is arguably the most crucial step of the process. Failure to monitor new information sources and workflow changes that would affect the data map will eventually decrease effectiveness and require the data mapping team to start from square one in the future. Having technology that is explicitly designed to ensure that information is updated and anticipate the dynamic reality of modern business such as business mergers, acquisitions, and divestitures.
Using a multi-disciplinary approach to data mapping will ensure that the process is effective and greatly aid with reaching privacy compliance.
Improving Privacy Compliance Plans
While creating data maps can be time consuming and requires attention to detail, this is a crucial component of a successful privacy compliance plan. Understanding an organization’s data landscape is the only way to determine the need to become compliant with particular privacy and security laws, effectively protect data assets and networks, handle breaches more swiftly and strategically, and maintain compliance with laws imposing varying obligations.
One area where mapping proves very useful is when an organization receives a GDPR data subject access request (DSAR). A DSAR is a consumer or employee request for information about personal data – like usage purpose, retention, disclosure, and data sources. Other privacy laws that have emerged are offering consumers similar rights to request, review, correct, amend, and delete their personal data. Some laws also establish a right to data portability. Organizations will need to respond to these requests expeditiously to meet the required response timeline. While other challenges will remain (like the decision to implement one global standard of care or take a more regional approach to handling such requests), an effective data map simplifies and streamlines the task of responding to DSARs or other privacy law requests.
Besides aiding with DSARs, data mapping provides organizations with the ability to effectively classify data based on importance and value, properly assess risk and implement appropriate safeguards to reduce such risk, promote transparency with regard to data collection and handling practices, determine the best solutions and policies for data retention, and reveal the most efficient ways to govern company data.
Organizations should make data mapping the foundation of their privacy program and take a proactive approach to this process. Remember, this process will require continuous efforts and maintenance in order to reach peak effectiveness. However, initial and constant efforts will save organizations time and decrease risk for noncompliance. Knowing what data an organization generates and where it lives both inside and outside company walls is crucial to determine the best methods to protect and govern sensitive information. From physical documents to cloud data – everything needs to be accounted for, classified and labeled, protected, and maintained. Taking these measures and making detailed data maps will defeat hurdles before they have the chance to materialize and help organizations maintain privacy compliance from GDPR to CCPA and beyond.
For more information on data privacy laws, consider reading https://www.epiqglobal.com/en-us/thinking/ediscovery/white-papers/an-overview-of-the-ccpa.