Amidst the diverse demands of today’s privacy regulations, businesses can count on one tool to streamline compliance: an effective data map that provides a complete, accurate, and current view of the data that business holds
Amidst the diverse demands of today’s privacy regulations, businesses can count on one tool to streamline compliance: an effective data map that provides a complete, accurate, and current view of the data that business holds. Building this requires moving beyond a manual spreadsheet approach to automated data mapping tools. Let’s look at why this is true.
A data map is an inventory of personal data that a business gathers, processes, and retains. To keep pace with expanding data flows and evolving regulations, some degree of automation is crucial in upholding a business’s data privacy compliance function. Think about it: what sort of effort would it take your business to manually inventory all the data that’s sitting in email platforms, CRM systems, payment platforms, and more? However, because data privacy is such a new area of operation for so many businesses, automated approaches to data mapping are rare.
When we surveyed 85 companies about one year ago, we found that 75% still implement manual methods to manage data privacy.
Creating a data map is not just a formality to comply with regulations like GDPR or CPRA. An accurate, scalable data map is an asset in itself, enabling a business to efficiently complete tasks like Data Subject Requests and to clearly identify all processors of users’ data.
We’ll walk through three pitfalls of spreadsheet-based data mapping and then consider how automation can help solve these challenges facing businesses in 2021.
It’s no surprise that data-driven business has become increasingly complex, but the pace and scale of heightened complexity are staggering. For a business to process consumer data, that data passes through greater numbers of third parties than ever before. In 2019, the International Association of Privacy Professionals reported that 90% of privacy professionals’ firms use third parties for data processing. Gartner recently found that 71% of surveyed organizations used more third parties than they had three years prior, with an expectation for third-party networks to grow even faster through 2022.
Manually keeping pace with this greater complexity will prove an increasing burden on businesses. Not only can businesses expect there to be a larger number of parties through which data flows; there will also be a larger amount of data to map. For instance, global consumer spending on Internet of Things products, some of which gather massive streams of information including biometric data, is projected to increase over 10% in 2021 and sustain double-digit growth into 2024.
With regulations like GDPR and CPRA setting new privacy expectations worldwide, proper retention of data is vital for businesses to comply with a global network of regulatory demands. More and more, users are expecting companies to (1) only process their data when there is a legitimate purpose for such processing and (2) only retain their data for as long as necessary. But first-class data retention isn’t as simple as “hard-deleting” all information after a certain amount of time. Retention capabilities must be far more nuanced. For example, vital operations like taxes and audits impose their own requirements on businesses’ data retention. In addition to the growing complexity of data flows, the regulatory stakes for effective data retention are higher. The manual enforcement of retention policies in 2021 risks overwhelming a business in paperwork, and as data flows grow, even these efforts do not safeguard against retention non-compliance and any subsequent penalties.
Data-driven businesses rely on the ingenuity of their teams, and every hour spent constructing and maintaining a manual data map is an hour lost on innovation. Any data mapping effort will take time, but a manual undertaking can take months, sometimes years, to implement. Even then, a data map is not a static object. A new third party in a business’s tech stack or a new privacy regulation could require a rework of the map; The cycle perpetuates itself, with increased time and energy spent on manual data mapping as data flows proliferate and regulatory stakes rise.
In contrast to manual mapping, businesses should look to hybrid and automated data mapping. As the name suggests, a hybrid approach leverages the efficiency of automation while retaining the nuance of human review. Business personnel bring knowledge of both users’ data and the company’s needs to guide the data mapping, while a trained AI model processes the large databases. Members of the business tasked with data mapping, such as the Data Protection Officer, can also validate and analyze the automated output to ensure that it meets regulatory requirements.
Bringing automation into data mapping will give businesses the agility needed to adapt to evolving data flows and retention requirements, without overwhelming company personnel. Instead of being derailed by the introduction of a new data category at some time after the data map’s creation, automated data mapping empowers businesses to quickly update their representation of complex data flows.
With help from Ethyca, businesses can save precious time and resources in implementing automated data mapping tools, enabling them to focus their energy on their next innovation. We’ve written a lot on the importance of data mapping and the value of automated approaches. Check out the resources below to read more on this essential privacy topic:
Ethyca’s VP of Engineering Neville Samuell recently spoke at the University of Texas at Austin’s Texas McCombs School of Business about privacy engineering and its role in today’s digital landscape. Read a summary of the discussion by Neville himself here.
Learn more about all of the updates in the Fides 2.24 release here.
Ethyca’s Senior Software Engineer Adam Sachs goes through the thought process of creating Fideslang, the privacy engineering taxonomy that standardizes privacy compliance in software development.
Learn more about all of the updates in the Fides 2.23 release here.
Our Senior Software Engineer Dawn Pattison walks you through implementing data minimization into your business.
Learn more about all of the updates in the Fides 2.22 release here.
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!Request a Demo