VCPDA Step 01
While creating a data map is not a strict requirement of VCDPA, a data map is the foundation for compliance with any privacy law. Your business must have full context of all the data you are processing to exert proper control over your organization’s data.
To accomplish this, you’ll want to create an inventory, or “map” of:
|Title||In simple terms...||Description|
|Data Categories||What||The types of personal data you are processing. Common categories of personal data include: names, email, address, location, etc. These are personal information belonging to an identified or identifiable user.|
|Categories of Processing||Why||The reason or purpose for which you are processing the data. To identify the correct purpose, consider how that information is being used. An example would be a statement such as "We use email and names for personalized marketing.." In this case, the category of processing would be "personalized marketing."|
|Systems||Where||The systems in which the data is being processed. Think of this as your internal technology systems or third-party vendors. Taking the personalized marketing example from above, the system might be your CRM like HubSpot or Salesforce.|
|Location||Where||A slightly more precise version of where, this is about knowing where the data geographically resides. For example, perhaps you use AWS to cloud host your databases. The AWS region might be the U.S., Europe, or elsewhere. That location should be documented.|
|Data Retention Policy||How long you keep data||Privacy best practices dictate that you should keep data for as little time as possible. That is to say, only store and process data for as long as it's truly necessary. For this reason, you should have a record of when and how you delete each category of data that you process.|
|Data Processing Agreement||Legal Policies||If users' personal data is processed by a third party on your behalf, e.g. a SaaS company or an external business, you should establish a contractual agreement on how they comply with privacy regulations and manage data on your behalf. This is often called a Data Processing Contract or Data Processing Agreement.|
|Security Controls||Security Policies||For each of your systems, you should have a record of the security controls and policies enforced on that systems. That way, you can ensure that you are adequately protecting your users' data.|
In preparing for the VCDPA, consider that manual data mapping is a labor-intensive process that will involve multiple members of your business. An accurate manually generated system and data inventory can take several months to create.
If you'd like to accelerate your data mapping and are unsure where to start, ask a question on the Fides Slack Community (opens in a new tab).
If want lightning-fast, automated data mapping with Privacy Engineering Intelligence from Ethyca (opens in a new tab), get in touch now.