Data Mapping

Data mapping helps organizations track and record the personal information they collect and process. Data mapping can help you organize and analyze the data you handle and comply with privacy laws. If you deal with any amount of personal data, you should understand what data mapping is and how you can implement it in your business.

This article will explain what data mapping is, how it relates to privacy laws, the benefits of data mapping, whether data mapping is legally required, and the best data mapping techniques for your business.

What is Data Mapping?

Data mapping is the process of organizing the categories of data you collect. It provides you with a way to observe and analyze data from multiple sources and understand how it flows through your organization.

While the extent of a data map depends on the size of your business and the amount of data you collect, most data maps include information about the types of data you collect, what you do with the data and why, and how you store, transfer, and keep the data you collect secure.

Is Data Mapping Required?

While data mapping itself is not legally required, it can help you comply with privacy laws such as the European Union's (EU) General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA).

These laws are setting the standard for new state and global privacy legislation, meaning that compliance with their requirements can help set you up for compliance with future laws, even if you aren't subject to current regulations.

GDPR

The GDPR requires applicable organizations to keep records of the data they process. Records of Processing Activities should include the following information:

• What data is processed
• A description of data subjects
• Why and how data is processed
• Names and contact information of data controllers and data processors. (Controllers are individuals or entities that make decisions about how to use personal data. Processors are individuals or entities that process personal data on behalf of data controllers.
• Recipients of data, including international entities
• How data is kept secure during transfer
• When data will be erased

Data mapping can help organizations comply with the GDPR's Record of Processing Activities requirements by maintaining a record of the above information.

Article 30 of the GDPR explains that all data controllers must maintain a Record of Processing Activities that includes the name and contact information of the data controller and data protection officer, the reasons why collected data is processed, and the categories of personal data being processed:

CCPA (CPRA)

While not legally required, data mapping can help organizations subject to the CCPA (CPRA) comply with the law by providing a way to track data and respond to consumer requests concerning their data.

Part 2 of Section 1798.130 of the CCPA explains that organizations must respond to consumer requests to correct or delete their personal information within 45 days of receiving a request and that they must deliver information from a period of at least 12 months prior to when the request was made.

The CCPA requires applicable businesses to maintain a Privacy Policy that describes the personal information they collect. Data mapping can help you keep your Privacy Policy up to date and compliant by providing an accurate representation of how you collect and process personal information.

Many privacy laws require applicable organizations to fulfill certain obligations, including:

• Using a Privacy Policy to inform consumers about the types of data they collect and what they do with it
• Responding to consumer requests concerning their personal data
• Filing regular reports about their data processing activities

Data mapping can help provide you with the information you need to complete your Privacy Policy, respond to consumer data requests, and submit your data processing reports.

Why Data Mapping is Useful

There are several benefits to data mapping, including making information about your data systems easily accessible, functioning as a preliminary step in data integration, and helping to keep your organization in compliance with privacy laws.

Accessible Location

Data mapping helps you keep the information about the data you collect and how you use it in one accessible, secure location. Having the ability to easily locate and access information about the data you collect simplifies data analysis and alteration processes.

Data Integration

Data integration combines data from multiple sources into a single data set. Data integration can help you optimize analytics and the daily operations of your business by removing duplicated data and uniformly formatting the data. Data mapping helps to ensure the accuracy of data before it is integrated.

Privacy Law Compliance

Data maps can help you comply with local and international data protection laws by recording required information and drawing attention to areas of your data collection and processing systems that need adjustments.

Data mapping fulfills certain privacy law requirements by recording data processing activities, helping organizations respond to consumer requests about their data, and providing the information necessary to create and maintain updated Privacy Policies. Using data maps to track and analyze your data systems can help bring attention to any problems that could become legal issues.

What Does Data Mapping Keep Track of?

The Types of Data You Collect

Data mapping provides information about where the data you collect comes from, whether the owners of that data are aware their data has been collected, and what types of data you have collected.

Data Sources

Your data map should track where you get personal data from. Data sources can include data subjects (people who can be identified using personal data) and third parties.

Consumer Consent

You should keep track of whether you have obtained consent to collect and use consumers' personal data. Consumers should actively consent to data processing, which means that your organization should require consumers to tick a checkbox or adjust their app settings to signify their consent before having their data collected.

Consumers signing up to join Harrods' Rewards Program must tick a checkbox affirming that they wish to receive marketing emails:

Data Categories

The types of data you collect can include both personal and sensitive data.

Personal data is any information that can be used, on its own or combined with other information, to identify an individual. Personal data can include names, email addresses, home addresses, phone numbers, birthdays, credit card numbers, and IP addresses.

Sensitive data is a special category of personal data that can include religious beliefs, sexual orientation, and genetic data. You should take extra care when processing sensitive data.

Your Reasons for Collecting and Processing Data

Your data map should include the reasons why you collect and process personal data.

Processing data is defined as any operations performed, either manually or automatically, on personal data. These operations can include (but are not limited to) collecting, recording, storing, altering, retrieving, using, transmitting, and destroying personal data.

Data should only be processed when necessary to the functioning of your organization, and your data map should include your reasons for processing data.

Some reasons for processing data might include marketing, analytics, communication, sales, and delivery purposes.

Patagonia's Privacy Policy explains that it collects personal information from consumers for many reasons, including to process and ship orders, respond to questions and requests, and for communication, analysis, security, customization, and marketing purposes:

Where You Store Data

Your data map should document where you store data, whether in an external database or within your organization.

How Long You Keep Data

You should keep track of how long you keep the data you collect, and what you do with it once you are done using it.

How You Keep the Data Secure

The data you store and transfer (and the data mapping procedure itself) needs to be protected at every step. That means that you should have trained staff and technical and physical security procedures in place to keep data safe.

Technical security methods can include firewalls, antivirus and antispyware software, and strong passwords.

Physical security measures can include security cameras and guards to protect your servers or offices. Combining technical and physical security methods with trained staff is an effective way to keep the personal data you handle secure.

Where Data is Transferred to

Your data map should detail where data is transferred, both within your organization and to third parties. You should note whenever data is transferred to third parties located internationally.

Vigilant Software's Data Flow Mapping Tool demo video shows how data can move from a source to different targets, and what points the data moves through on the way:

Now that you see what data mapping is, let's look at why you'll want to do it. Here's why it's a very useful tool.

Data Mapping Methods

There are three essential data mapping methods: manual, automated, and semi-automated data mapping.

If you are a developer who understands coding and your organization deals with an extremely limited amount of data, you can use a manual data mapping method, which can be as simple as inputting data into a spreadsheet.

However, most organizations will benefit from using data mapping software that can automate the data mapping process, as these tools are designed to handle increasing amounts of data and can scale with your business.

There is also the option to combine manual and automated data mapping methods, which can be useful for organizations that handle small amounts of data and don't have a budget for automated data mapping tools.

Data Protection Officer (DPO)

It's a good idea (and in some cases, required) to have a data protection officer (DPO) on staff. A data protection officer is responsible for training staff, conducting security audits, and maintaining records of data processing activities.

A DPO can help organize information from different departments to create and manage data maps. Even if you aren't required to have a data protection officer, you should still put a trained individual or team in charge of your data mapping process.

Step-by-Step Data Mapping Process

No matter what method you use, there are a few essential steps to the data mapping process.

1. Determine what kind of data you are collecting. You should track the categories of data and where the data is coming from.
2. List all of the ways you process the data you collect. Your list might include collecting personal data through newsletter sign-ups or order forms or storing customers' personal data for future use, such as for email campaigns or advertising purposes.
3. Track privacy laws. It's important to stay informed about data protection laws that may apply to your organization, as well as any changes that are made to existing laws. Visit our TermsFeed blog regularly for insight into current and upcoming privacy law regulations.
4. Decide what data mapping tools to use. The right tools for the job depend on the size of your organization and the types and amount of data you collect and process.
5. Test your data mapping method to make sure it functions properly. You always want to test data mapping software to ensure that it works and is the best fit for your organization.
6. Start data mapping. Once you have tested your data mapping method, you can start implementing data mapping in your business.
7. Update regularly. You will need to consistently check in and regulate your data mapping process to handle new influxes of data and changes to existing data.

Summary

Data mapping is the process of organizing the data that flows through your business so that it is easily accessible and observable. Data mapping helps you analyze and make changes to your data collection and processing systems, comply with local and global privacy laws, and sets the stage for data integration.

A data map typically includes the following information:

• The types of data you collect, including where you get the data from, whether you obtained consent before collecting or processing the data, and whether the data you collected contains personal or sensitive information
• Your reasons for collecting and processing data
• Where you store data
• How you keep the data you collect safe
• Where you transfer data

While data mapping isn't necessarily required by current state and international privacy laws, it can still help you comply with certain regulations, such as the GDPR and the CCPA/CPRA.

Depending on the size of your organization, you can use manual, automated, or semi-automated data mapping techniques. Most organizations will benefit from using automated methods, as the amount of data in the modern digital era can be too much for an IT specialist with a spreadsheet to handle.

It's a good idea (even if not legally required) to appoint a data protection officer or another trained individual to manage your data mapping process.

The step-by-step data mapping process is as follows:

1. Determine what kind of data you are collecting
2. List how you process the data you collect
3. Stay up to date with the status of privacy laws
4. Choose a data mapping tool (or tools)
5. Test your data mapping tool(s)
6. Start data mapping
7. Maintain and update your data mapping plan