Whether you’re a privacy pro or just getting started, a comprehensive data map is the key to complying with global privacy laws like the GDPR or the CCPA. Our step-by-step guide can help you and your team build your organization’s own data map from start to finish.
At its highest level, a data map is a representation of your company’s data infrastructure. It helps businesses answer three crucial questions at a glance:
Companies face mounting pressure to make effective use of their data. They also face a new wave of external compliance pressure stemming from global data privacy laws like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). In each case, a data map is the key to unlocking compliance.
Under GDPR, companies can be fined up to €20 million, or four percent of their previous year’s turnover. Under CCPA, businesses are required to observe a number of privacy best practices, facilitate access requests, and more. Companies that violate the CCPA can be fined up to $7,500 per individual affected, per violation.
Unfortunately, building a data map is often painstaking; How can you successfully maintain a growing inventory of the personal data your business possesses when it’s spread across different systems in different formats and accessed by so many different people?
However, with so many opportunities to incur fines, it’s important for companies to build a data map and see what consumer data is being collected, how it’s being processed, and exert granular control over it.
Let’s dive deeper into how a data map can serve your business.
A data map is a clear representation of your company’s data infrastructure.
Also known as “data flow maps” or “inventory assessments,” data maps provide a record of all of the personally identifiable data points that your company processes, and contain information such as the types of data it is, why it’s collected, and who has access to it.
Article 30 of GDPR stipulates the legal requirement for a data map, stating that an organization “shall maintain a record of processing activities under its responsibility.” The ideal data map should, therefore, provide a clear, transparent, auditable account of the PII that your company collects.
For some businesses, a simple Excel spreadsheet can suffice. However, using an Excel sheet to keep track of consumer data can quickly become unwieldy and can lose its utility for representing the complex flows and relationships that exist in data ecosystems.
Once a company has grown past the point of using an Excel sheet, it’s necessary to construct a visual data map that represents and shows the data relationships that exist in the business.
A typical data map should, at the very least, contain the information in the table below in relation to the PII that your company processes.
This isn’t an exhaustive list of the information you may be required to account for as privacy laws vary between regions. However, it’s a great starting point if you’re creating a data map template for CCPA or GDPR, or if you’re conducting a data flow audit.
Name of business function processing the data | A reference to the team within your company that will be using the data, i.e. marketing, sales, HR, engineering, etc. |
Purpose of processing | Why your business is collecting the data in the first place, what is being done with the data, and the legal basis for processing it. |
Name and contact details of joint controller | If your company is collecting PII, GDPR classifies you as a “controller.” If your company is processing data on behalf of another organization, then you are classified as the “processor.” Your company likely acts as both controller and processor, but you may be using other third-party processors, too. The best approach is to record the contact details of the Data Protection Officer (DPO) within your company. This person will be the point of contact for all of the data that is recorded in your data map. You may also need account for multiple or joint controllers across your organization who are also responsible for different data categories. |
Categories of personal data | The category of data that you are collecting, i.e. location data, health data, financial data, etc. |
Types of personal data | The exact type of data that is being processed. i.e. name, address, email, phone number, etc. |
Categories of recipients | The person or organization that will be processing the PII, i.e. your company’s customer support team, marketing team, financial controller, third-party SaaS provider, etc. |
Link to data processing agreement/contract | If the processor is internal, this can be a link to your employee guidelines on the handling of personally identifiable information. If the processor is external, this should be a link to the agreed contract – known as a Data Processing Agreement (DPA) – with that third-party. The DPA contains the processor’s obligations regarding the protection of any PII they process on your company’s behalf. |
Data format | The format of the data stored by your company i.e. digital or hard copy. |
The source of the personally identifiable information (PII) | How and where you are collecting any PII, i.e. website, social media, email, telephone, paper-based forms, in-store, etc. |
Method of data transfer | The places where that data is transferred to and from, i.e. physical records in-store or in the office, email, internal documentation, internal software, instant messenger, third-party software, third-party communication, etc. |
Location of personal data | The digital locations of data storage, i.e. database, email, instant messenger, internal documentation, etc. |
Retention schedule | The length of time a company stores personally identifiable information before it is erased. Check to see if your company is storing PII on a permanent or semi-permanent basis. Ideally, data should be kept for no longer than is necessary for the purposes for which it is being processed in line with GDPR’s recommendation on data minimization. |
General description of technical and organizational security measures | A description of the measures in place that your company uses to protect PII from unauthorized access, i.e. encrypted storage, access controls, password protection, locked filing cabinets, clear desk policy, etc. |
Now that you know what types of data you should include in your data map, how exactly should you format it? If you’re unsure about organizing your data map, you can follow this simple template to illustrate the relationship between the data in different systems, databases, or applications.
There are multiple self-assessment tools you can use to start organizing your data map. Generally, though, each template should contain the following categories:
Although data mapping requirements may vary with each privacy regulation, including all of the information in your data map will give you a solid foundation building compliance reports for regulators.
Designate the individual within your organization who will actively update and maintain your company’s data map to ensure compliance with data protection and privacy law, i.e. your company’s Data Protection Officer (DPO).
Determine where the PII currently resides. If any data is stored in hard copy, transfer it to a digital location. If all data is stored digitally, examine your primary customer database.
For the tech-savvy, analyze the database schema and determine the data types and data categories. You can then record them in your data map template.
If you are less technical, recruit someone from your company who is responsible for your primary database to help identify data types, categories, recipients of that data, and groups of individuals with whom that data are about. Record them in your data map template.
Create an exhaustive list of all the places where PII is referenced outside of your primary database i.e. internal documentation, email, instant messenger, physical documentation in the office, APIs, SaaS applications etc.
Make a record in your data map of every team or third-party that has access to any applications where PII is referenced, along with the purpose for them having access to each individual data type.
Assign an individual from each team as the point of contact who is accountable for updating the PII that their team has access to in the data map.
Identify where each type of PII is created and assign an individual or team to be responsible for maintaining that source and updating the data map so long as there is a purpose for collecting that data.
Ensure your business is collecting PII based on a legitimate business purpose, as well as the legal basis for each type of data. Then, establish a data deletion timeline for when each data type should be erased.
Here’s an example of a data retention schedule:
Data type | Reason for processing | Explicit permission to process | Team(s) with access privileges | Retention period | Reason for retention period |
Prospective customer emails | To promote our services | Yes – requested annually | Sales and Marketing | 12 months | To continue promoting company services unless a customer opts out before the retention period expires. |
Customer phone numbers | To provide customer support | Yes – requested annually | Customer Support | As long as the customer remains, or 6 months thereafter | To provide support to the customer and settle the account if the customer leaves. |
Employment contract data | Legal purposes | Yes – requested during onboarding | HR and Recruiting | 5 years | Legal obligation. |
Unsuccessful candidate resumes | Assessing fit for open positions | Yes – requested during application | Recruiting | 12 months | Likely to contact candidates for future positions. |
Employee salaries | Filing company tax returns; completing payroll | Yes – part of employment contract | HR and Finance | 10 years | Legal obligation, Completing payroll. |
Finally, you should describe any technical and organizational security measures that your company has in place to protect any PII that it processes.
You should now have a much clearer picture of all the PII that your company processes in your data map template. This is a great achievement in itself, but it’s just the starting point when it comes to data privacy compliance.
The challenge now lies in the ongoing maintenance of your data map, ensuring that it stays up to date, and is in compliance with privacy regulations that apply to your organization.
It’s important to have a Data Protection Officer assigned to maintain your company’s data map going forward, as well as owners of the types or categories of data that your company processes in order to ensure clear accountability and compliance.
Hopefully, our data mapping template has been valuable. If you’d like to see how Ethyca can help your business create a real-time data map, check out our data mapping solutions, or schedule a free 15-minute call with one of our privacy deployment specialists today.
Ethyca announces fundraise, doubles annual revenue with new enterprise clients, and reveals new brand.
Today we’re announcing faster and more powerful Data Privacy and AI Governance support
See new feature releases enhancing user experience, adding new integrations and support for IAB GPP
Learn more about the privacy and data governance enhancements in Fides 2.27 here.
Read Ethyca’s CEO Cillian Kieran describe why and how an open data governance ontology enables companies to comply with data privacy regulations and frameworks.
Ethyca sponsored the Unpacking Privacy Engineering for Lawyers webinar for the Interactive Advertising Bureau (IAB) on December 14, 2023. Our CEO Cillian Kieran moderated the event and ran a practical discussion about how lawyers and engineers can work together to solve the technical challenges of privacy compliance. Read a summary of the webinar here.
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!
Speak with UsStay informed with the latest in privacy compliance. Get expert insights, updates on evolving regulations, and tips on automating data protection with Ethyca’s trusted solutions.