How To Build Your Company’s Data Map

Companies face mounting pressure to make effective use of their data. They also face a new wave of external compliance pressure stemming from new data privacy laws like GDPR and CCPA. In each case, a data map is the key to unlock the best data practices.

Whether you’re a privacy pro or just getting started, a comprehensive data map is the key to operationalizing privacy in your business. Our step-by-step guide can help you and your team get from start to finish.

At the very highest level, data maps let businesses see, at a glance, three crucial things:

• what personally identifiable information (PII) they possess
• why they possess it, 
• and how it’s being used. 

Under GDPR, state bodies can be fined up to €1 million for failure to meet their obligations, and multinationals can be fined up to €20 million, or four percent of their previous year’s turnover. 

Under the CCPA, businesses are also required to observe a number of privacy best practices, facilitate access requests, and more. Those found to be in breach of the CCPA can be fined per individual affected, per violation. The maximum fine can be as high as $7,500 of statutory damages per individual affected, per violation. In a class-action lawsuit, that adds up quick. 

Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD) follows suit with a fine of up to 2% of a private legal entity’s, group’s, or conglomerate’s revenue in Brazil, for the prior fiscal year, excluding taxes, up to a total maximum of 50 million Brazilian reals.

How do you successfully maintain a constantly-growing inventory of the personal data your business possesses, when it’s spread across disparate systems in differing formats, and accessed by so many different people throughout your organization? 

Enter the data map. 

What Does a Data Map Do?

A data map (also known as a data flow map, personally identifiable information disclosure under CCPA or Article 30 inventory assessment under GDPR) is a clear representation of your company’s data infrastructure. It provides a record of all of the personally identifiable data points that your company processes and contains information on that data such as what type of data it is, why it is collected, and who has access to it. 

For some businesses, a simple Excel spreadsheet can suffice. Article 30 of GDPR articulates the legal requirement for a data map by stating that an organization “shall maintain a record of processing activities under its responsibility”. The ideal data map should, therefore, provide a clear, transparent, auditable account of the personally identifiable information that your company collects.

For most businesses, however, a simple Excel file will quickly become unwieldy and lose utility for representing the many complex flows and relationships that exist in their data ecosystems. At this point, it’s very useful to construct a data map like an actual map, with a visual representation of the data relationships that exist in the business.

When visualized, a data map most often contains nodes and links to show how different systems that contain any personally identifiable information link together in your organization. Below is an example of a data map compiled by Ethyca’s data mapping software.

What’s in a Data Map? 

A typical data map should, at the very least, contain the information in the table below in relation to the PII that your company processes. This isn’t an exhaustive list of the information you may be required to account for, as compliance law varies between regions. It is, however, a great starting point if you’re implementing a data map for the first time in order to comply with laws like the CCPA or GDPR, or if you’re carrying out a preliminary data flow audit. 

Name of business function processing the data	A reference to the team within your company that will be using the data e.g. marketing, sales, HR, engineering etc.
Purpose of processing	A justification for collecting the data in the first place, what is being done with the data or the legal basis for processing it.
Name and contact details of joint controller	If your company is deciding the purpose for the collection of personally identifiable information, you are classified by GDPR as the ‘controller’. If your company is processing data on behalf of another organization then you are classified as the ‘processor’. It is most likely that your company acts as both controller and processor, but you may use other third-party processors too. The best approach for the purposes of compliance is to record the contact details of your Data Protection Officer within your company. This person will be the go to point of contact for the data that is being recorded in your data map and there may be multiple or joint controllers across your organization who are responsible for different data categories.
Categories of personal data	The category that the data that you are collecting falls into e.g. personal identification data, location data, health data, financial data, etc.
Types of personal data	The exact type of data that is being processed. e.g. name, address, email, phone number, etc.
Categories of recipients	This is a reference to the person or organization that will be processing the personally identifiable information e.g. your company’s customer support team, marketing team, financial controller, third party SaaS provider, etc.
Link to contract with processor	If the processor is internal, this can be a link to your employee guidelines on the handling of personal identifiable information. If the processor is external, this should be a link to the agreed contract – known as the Data Processing Agreement (DPA) – with that third party. The DPA contains their obligations in regard to the protection of any personally identifiable information they are processing on your company’s behalf.
Data format	The format of the data stored by your company i.e. digital or hardcopy.
The source of the personally identifiable information	How and where you are collecting any personally identifiable information from e.g. website, social media, email, telephone, paper-based forms, in-store etc.
Method of data transfer	The places where that data are transferred to and from e.g. physical records in-store or in the office, email, internal documentation, internal software, instant messenger, third party software, third party communication, etc.
Location of personal data	The digital locations of data storage e.g. database, email, instant messenger, internal documentation, etc.
Retention schedule	The length of time a company stores personally identifiable information for before it is erased. Is your company storing personally identifiable information on a permanent or semi-permanent basis? Ideally, data should be kept for no longer than is necessary for the purposes for which it is being processed in line with GDPR’s recommendation on data minimization.
General description of technical and organizational security measures	A description of the measures in place that your company uses to protect PII from unauthorized access e.g. encrypted storage, access controls, password-protected, locked filing cabinets, clear desk policy, etc.

How to Implement a Data Map

Step 1 – Appoint & Consult With Your Data Protection Officer

Clarify the individual within your organization that will actively update and maintain your company’s data map to ensure compliance with data protection and privacy law, i.e. your company’s Data Protection Officer. 

Step 2 – The where and the what

1. Determine where the personally identifiable information currently resides. If any data are stored in hard copy, migrate it to a digital location. If all data are stored digitally, examine your primary customer database.
2. For the tech-savvy, analyze the database schema and determine the data types and data categories. You can then record them in your data map template.
3. If you are less technical, recruit someone from your company who is responsible for your primary database to help you identify data types, categories, recipients of that data and groups of individuals with whom that data are about, and record them in your data map template.

Step 3 – Creating the full picture

1. Create an exhaustive list of the places where personally identifiable information is referenced outside of your primary database e.g. internal documentation, email, instant messenger, physical documentation in the office, APIs, SaaS applications etc. 
2. Make a record in your data map of every team or third party that has access to any applications where personally identifiable information is referenced along with the purpose for them having access to each individual data type.
3. Assign an individual from each team as the point of contact who is accountable for updating the personally identifiable information that their team has access to in the data map.

Step 4 – Identifying the source

1. Identify where each type of personally identifiable information is created.
2. Assign an individual or team who is responsible for maintaining that source and updating the data map so long as there exists a purpose for collecting that data.

Step 5 – Defining purpose and retention schedule

1. Define a purpose for each type of personally identifiable information that your company processes.
2. Define a duration for which your company will process each data type before it is erased – see an example of a retention schedule below: 

Data Type	Reason for processing	Explicit permission to process	Team(s) with access privileges	Retention period	Reason for retention period
Prospective customer emails	To promote our services	Yes – requested annually	Sales, Marketing	12 months	To continue to promote company services unless customer opts out before retention period expires
Customer phone numbers	To provide customer support	Yes – requested annually	Customer Support	As long as the individual remains a customer or 6 months thereafter	To provide support to customer and to settle account if customer leaves
Employment contract data	Legal purposes	Yes – requested during onboarding	HR, Recruiting	5 years	Legal obligation
Unsuccessful candidate resumes	For assessing fit for open positions	Yes – requested during application	Recruiting	12 months	Likely to contact candidates for future positions
Employee salaries	Filing company tax returns; completing payroll	Yes – part of employment contract	HR, Finance	10 years	Legal obligation, Completing payroll

Step 6 – Keeping your company’s data secure

Finally, you should describe any technical and organizational security measures that your company has in place to protect any personally identifiable information that it processes. 

Conclusion: Maintaining Your Data Map

You should now have a much clearer picture of the personally identifiable information that your company processes in your data map template. This is a great achievement in itself, but it’s really just the starting point when it comes to data privacy compliance. 

The challenge now lies in the ongoing maintenance of your data map, ensuring that it stays up to date, and in compliance with any data protection or privacy regulations that may be applicable to your organization. 

It’s important to have a Data Protection Officer assigned to maintain your company’s data map going forward as well as owners of the types or categories of data that your company processes in order to ensure clear accountability and compliance. 

Hopefully, our data map template has been a valuable tool in getting you this far. If you’d like to take the protection and privacy of your company’s data to the next level, you can take a look at how Ethyca’s automated data mapping tools make quick – instant – work of the process described above.