Amidst the diverse demands of today’s privacy regulations, businesses can count on one tool to streamline compliance: an effective data map that provides a complete, accurate, and current view of the data that business holds
Amidst the diverse demands of today’s privacy regulations, businesses can count on one tool to streamline compliance: an effective data map that provides a complete, accurate, and current view of the data that business holds. Building this requires moving beyond a manual spreadsheet approach to automated data mapping tools. Let’s look at why this is true.
A data map is an inventory of personal data that a business gathers, processes, and retains. To keep pace with expanding data flows and evolving regulations, some degree of automation is crucial in upholding a business’s data privacy compliance function. Think about it: what sort of effort would it take your business to manually inventory all the data that’s sitting in email platforms, CRM systems, payment platforms, and more? However, because data privacy is such a new area of operation for so many businesses, automated approaches to data mapping are rare.
When we surveyed 85 companies about one year ago, we found that 75% still implement manual methods to manage data privacy.
Creating a data map is not just a formality to comply with regulations like GDPR or CPRA. An accurate, scalable data map is an asset in itself, enabling a business to efficiently complete tasks like Data Subject Requests and to clearly identify all processors of users’ data.
We’ll walk through three pitfalls of spreadsheet-based data mapping and then consider how automation can help solve these challenges facing businesses in 2021.
It’s no surprise that data-driven business has become increasingly complex, but the pace and scale of heightened complexity are staggering. For a business to process consumer data, that data passes through greater numbers of third parties than ever before. In 2019, the International Association of Privacy Professionals reported that 90% of privacy professionals’ firms use third parties for data processing. Gartner recently found that 71% of surveyed organizations used more third parties than they had three years prior, with an expectation for third-party networks to grow even faster through 2022.
Manually keeping pace with this greater complexity will prove an increasing burden on businesses. Not only can businesses expect there to be a larger number of parties through which data flows; there will also be a larger amount of data to map. For instance, global consumer spending on Internet of Things products, some of which gather massive streams of information including biometric data, is projected to increase over 10% in 2021 and sustain double-digit growth into 2024.
With regulations like GDPR and CPRA setting new privacy expectations worldwide, proper retention of data is vital for businesses to comply with a global network of regulatory demands. More and more, users are expecting companies to (1) only process their data when there is a legitimate purpose for such processing and (2) only retain their data for as long as necessary. But first-class data retention isn’t as simple as “hard-deleting” all information after a certain amount of time. Retention capabilities must be far more nuanced. For example, vital operations like taxes and audits impose their own requirements on businesses’ data retention. In addition to the growing complexity of data flows, the regulatory stakes for effective data retention are higher. The manual enforcement of retention policies in 2021 risks overwhelming a business in paperwork, and as data flows grow, even these efforts do not safeguard against retention non-compliance and any subsequent penalties.
Data-driven businesses rely on the ingenuity of their teams, and every hour spent constructing and maintaining a manual data map is an hour lost on innovation. Any data mapping effort will take time, but a manual undertaking can take months, sometimes years, to implement. Even then, a data map is not a static object. A new third party in a business’s tech stack or a new privacy regulation could require a rework of the map; The cycle perpetuates itself, with increased time and energy spent on manual data mapping as data flows proliferate and regulatory stakes rise.
In contrast to manual mapping, businesses should look to hybrid and automated data mapping. As the name suggests, a hybrid approach leverages the efficiency of automation while retaining the nuance of human review. Business personnel bring knowledge of both users’ data and the company’s needs to guide the data mapping, while a trained AI model processes the large databases. Members of the business tasked with data mapping, such as the Data Protection Officer, can also validate and analyze the automated output to ensure that it meets regulatory requirements.
Bringing automation into data mapping will give businesses the agility needed to adapt to evolving data flows and retention requirements, without overwhelming company personnel. Instead of being derailed by the introduction of a new data category at some time after the data map’s creation, automated data mapping empowers businesses to quickly update their representation of complex data flows.
With help from Ethyca, businesses can save precious time and resources in implementing automated data mapping tools, enabling them to focus their energy on their next innovation. We’ve written a lot on the importance of data mapping and the value of automated approaches. Check out the resources below to read more on this essential privacy topic:
Ethyca hosted its second P.x session with the Fides Slack Community earlier this week. Our Senior Software Engineer Thomas La Piana gave a live walkthrough of the open-source privacy engineering platform, Fides 2.0. He demonstrated how users can easily deploy Fides and go from 0 to full DSR automation in less than 15 minutes. If you weren’t able to attend, here are the three main points addressed during the session.
Introducing consent management in Fides 2.0. With the coming state privacy laws in 2023, your business needs to have granular control over users’ data and their consent preferences. Learn more about how Fides can enable this for your business, for free.
Ethyca launched its privacy engineering meetup, P.x, where Fides Slack Community members met and interacted with the Fides developer team. Two of our Senior Software Engineers, Dawn and Steve, gave presentations and demos on the importance of data minimization, and how Fides can make data minimization easier for teams. Here, we’ll recap the three main points of discussion.
We enjoyed two great days of security and privacy talks at this year’s Symposium on Usable Privacy and Security, aka SOUPS Conference! Presenters from all over the world spoke both in-person and virtually on the latest findings in privacy and security research.
At Ethyca, we believe that software engineers are becoming major privacy stakeholders, but do they feel the same way? To answer this question, we went out and asked 337 software engineers what they think about the state of contemporary privacy… and how they would improve it.
The UK’s new Data Reform Bill is set to ease data privacy compliance burdens on businesses to enable convenience and spark innovation in the country. We explain why convenience should not be the end result of a country’s privacy legislation.
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!Get a Demo