Request a Demo

How to build a data map for your organization

Whether you’re a privacy pro or just getting started, a comprehensive data map is the key to complying with global privacy laws like the GDPR or the CCPA. Our step-by-step guide can help you and your team build your organization’s own data map from start to finish.

Key visual with the blog post title: "How to build a data map for your organization."

What is a data map?

At its highest level, a data map is a representation of your company’s data infrastructure. It helps businesses answer three crucial questions at a glance:

  1. What personally identifiable information (PII) they possess.
  2. Why they possess PII.
  3. How PII is being processed.

Companies face mounting pressure to make effective use of their data. They also face a new wave of external compliance pressure stemming from global data privacy laws like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). In each case, a data map is the key to unlocking compliance. 

Under GDPR, companies can be fined up to €20 million, or four percent of their previous year’s turnover. Under CCPA, businesses are required to observe a number of privacy best practices, facilitate access requests, and more. Companies that violate the CCPA can be fined up to $7,500 per individual affected, per violation.

Unfortunately, building a data map is often painstaking; How can you successfully maintain a growing inventory of the personal data your business possesses when it’s spread across different systems in different formats and accessed by so many different people?

However, with so many opportunities to incur fines, it’s important for companies to build a data map and see what consumer data is being collected, how it’s being processed, and exert granular control over it. 

Let’s dive deeper into how a data map can serve your business.

Why your business needs a data map

A data map is a clear representation of your company’s data infrastructure. 

Also known as “data flow maps” or “inventory assessments,” data maps provide a record of all of the personally identifiable data points that your company processes, and contain information such as the types of data it is, why it’s collected, and who has access to it. 

Article 30 of GDPR stipulates the legal requirement for a data map, stating that an organization “shall maintain a record of processing activities under its responsibility.” The ideal data map should, therefore, provide a clear, transparent, auditable account of the PII that your company collects.

For some businesses, a simple Excel spreadsheet can suffice. However, using an Excel sheet to keep track of consumer data can quickly become unwieldy and can lose its utility for representing the complex flows and relationships that exist in data ecosystems. 

Once a company has grown past the point of using an Excel sheet, it’s necessary to construct a visual data map that represents and shows the data relationships that exist in the business.

What information should go into a data map?

A typical data map should, at the very least, contain the information in the table below in relation to the PII that your company processes. 

This isn’t an exhaustive list of the information you may be required to account for as privacy laws vary between regions. However, it’s a great starting point if you’re creating a data map template for CCPA or GDPR, or if you’re conducting a data flow audit.

Name of business function processing the dataA reference to the team within your company that will be using the data, i.e. marketing, sales, HR, engineering, etc.
Purpose of processingWhy your business is collecting the data in the first place, what is being done with the data, and the legal basis for processing it.
Name and contact details of joint controllerIf your company is collecting PII, GDPR classifies you as a “controller.” If your company is processing data on behalf of another organization, then you are classified as the “processor.” Your company likely acts as both controller and processor, but you may be using other third-party processors, too.

The best approach is to record the contact details of the Data Protection Officer (DPO) within your company. This person will be the point of contact for all of the data that is recorded in your data map. You may also need account for multiple or joint controllers across your organization who are also responsible for different data categories.
Categories of personal dataThe category of data that you are collecting, i.e. location data, health data, financial data, etc.
Types of personal dataThe exact type of data that is being processed. i.e. name, address, email, phone number, etc.
Categories of recipientsThe person or organization that will be processing the PII, i.e. your company’s customer support team, marketing team, financial controller, third-party SaaS provider, etc.
Link to data processing agreement/contractIf the processor is internal, this can be a link to your employee guidelines on the handling of personally identifiable information. 

If the processor is external, this should be a link to the agreed contract – known as a Data Processing Agreement (DPA) – with that third-party. 

The DPA contains the processor’s obligations regarding the protection of any PII they process on your company’s behalf.
Data formatThe format of the data stored by your company i.e. digital or hard copy.
The source of the personally identifiable information (PII)How and where you are collecting any PII, i.e. website, social media, email, telephone, paper-based forms, in-store, etc.
Method of data transferThe places where that data is transferred to and from, i.e. physical records in-store or in the office, email, internal documentation, internal software, instant messenger, third-party software, third-party communication, etc.
Location of personal dataThe digital locations of data storage, i.e. database, email, instant messenger, internal documentation, etc.
Retention scheduleThe length of time a company stores personally identifiable information before it is erased. Check to see if your company is storing PII on a permanent or semi-permanent basis.

Ideally, data should be kept for no longer than is necessary for the purposes for which it is being processed in line with GDPR’s recommendation on data minimization.
General description of technical and organizational security measuresA description of the measures in place that your company uses to protect PII from unauthorized access, i.e. encrypted storage, access controls, password protection, locked filing cabinets, clear desk policy, etc.

Data mapping template

Now that you know what types of data you should include in your data map, how exactly should you format it? If you’re unsure about organizing your data map, you can follow this simple template to illustrate the relationship between the data in different systems, databases, or applications. 

There are multiple self-assessment tools you can use to start organizing your data map. Generally, though, each template should contain the following categories: 

  • Source: where the data originated from, i.e. a first-party contact form or a third-party list;
  • Destination: which internal system, third-party database, or application the data is sent to and resides;
  • Personal Data: the types of personal data that is collected, i.e. name, address, phone number, email, etc.;
  • Legal Basis: under which legal basis you’re processing the personal data. For example in GDPR, consent, legal obligation, legitimate interest, etc.;
  • Legitimate business purpose: for what business purpose are you processing the data? For example, auditing, detecting security incidents, performing services, etc.;
  • Retention policy: how long your business is keeping and storing the data;
  • Personal data of a child: children’s personal data is subject to stricter protections. For example, in most U.S. state privacy laws, businesses are not allowed to collect the personal data of a known child under 13 years old without parental consent;
  • Consent preferences: what consent preferences a users has opted in or out of;
  • Sensitive personal information: whether or not the personal data being collected legally is considered sensitive personal information (SPI), and thus, subject to stricter regulation. Different types of personal data are considered “sensitive” depending on the privacy law.

Although data mapping requirements may vary with each privacy regulation, including all of the information in your data map will give you a solid foundation building compliance reports for regulators.

How to build a data map

Step 1 – Appoint and consult your Data Protection Officer (DPO)

Designate the individual within your organization who will actively update and maintain your company’s data map to ensure compliance with data protection and privacy law, i.e. your company’s Data Protection Officer (DPO).

Step 2 – Figure out what data already exists and where internally

Determine where the PII currently resides. If any data is stored in hard copy, transfer it to a digital location. If all data is stored digitally, examine your primary customer database.

For the tech-savvy, analyze the database schema and determine the data types and data categories. You can then record them in your data map template.

If you are less technical, recruit someone from your company who is responsible for your primary database to help identify data types, categories, recipients of that data, and groups of individuals with whom that data are about. Record them in your data map template.

Step 3 – Review third-party SaaS applications

Create an exhaustive list of all the places where PII is referenced outside of your primary database i.e. internal documentation, email, instant messenger, physical documentation in the office, APIs, SaaS applications etc. 

Make a record in your data map of every team or third-party that has access to any applications where PII is referenced, along with the purpose for them having access to each individual data type.

Assign an individual from each team as the point of contact who is accountable for updating the PII  that their team has access to in the data map.

Step 4 – Identify the source

Identify where each type of PII is created and assign an individual or team to be responsible for maintaining that source and updating the data map so long as there is a purpose for collecting that data.

Step 5 – Define your purposes and retention schedule

Ensure your business is collecting PII based on a legitimate business purpose, as well as the legal basis for each type of data. Then, establish a data deletion timeline for when each data type should be erased.

Here’s an example of a data retention schedule:

Data typeReason for processingExplicit permission to processTeam(s) with access privilegesRetention periodReason for retention period
Prospective customer emailsTo promote our servicesYes – requested annuallySales and Marketing12 monthsTo continue promoting company services unless a customer opts out before the retention period expires.
Customer phone numbersTo provide customer supportYes – requested annuallyCustomer SupportAs long as the customer remains, or 6 months thereafterTo provide support to the customer and settle the account if the customer leaves.
Employment contract dataLegal purposesYes – requested during onboardingHR and Recruiting5 yearsLegal obligation.
Unsuccessful candidate resumesAssessing fit for open positionsYes – requested during applicationRecruiting12 monthsLikely to contact candidates for future positions.
Employee salariesFiling company tax returns; completing payrollYes – part of employment contractHR and Finance10 yearsLegal obligation, Completing payroll.

Step 6 – Keep your company’s data secure

Finally, you should describe any technical and organizational security measures that your company has in place to protect any PII that it processes.

How to maintain your data map

You should now have a much clearer picture of all the PII that your company processes in your data map template. This is a great achievement in itself, but it’s just the starting point when it comes to data privacy compliance. 

The challenge now lies in the ongoing maintenance of your data map, ensuring that it stays up to date, and is in compliance with privacy regulations that apply to your organization. 

It’s important to have a Data Protection Officer assigned to maintain your company’s data map going forward, as well as owners of the types or categories of data that your company processes in order to ensure clear accountability and compliance.

Start data mapping with Fides

Hopefully, our data mapping template has been valuable. If you’d like to see how Ethyca can help your business create a real-time data map, check out our data mapping solutions, or schedule a free 15-minute call with one of our privacy deployment specialists today.

Ready to get started?

Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!

Request a Demo