A data map is a representation of your company’s data infrastructure, and one of the first steps for your company to become GDPR and CCPA compliant.
Companies face mounting pressure to make effective use of their data. They also face a new wave of external compliance pressure stemming from new data privacy laws like GDPR and CCPA. In each case, a data map is the key to unlock the best data practices.
At the very highest level, data maps let businesses see, at a glance, three crucial things:
Under GDPR, state bodies can be fined up to €1 million for failure to meet their obligations, and multinationals can be fined up to €20 million, or four percent of their previous year’s turnover.
Under the CCPA, businesses are also required to observe a number of privacy best practices, facilitate access requests, and more. Those found to be in breach of the CCPA can be fined per individual affected, per violation. The maximum fine can be as high as $7,500 of statutory damages per individual affected, per violation. In a class-action lawsuit, that adds up quick.
Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD) follows suit with a fine of up to 2% of a private legal entity’s, group’s, or conglomerate’s revenue in Brazil, for the prior fiscal year, excluding taxes, up to a total maximum of 50 million Brazillian reals.
How do you successfully maintain a constantly-growing inventory of the personal data your business possesses, when it’s spread across disparate systems in differing formats, and accessed by so many different people throughout your organization?
Enter the data map.
A data map (also known as a data flow map, personally identifiable information disclosure under CCPA or Article 30 inventory assessment under GDPR) is a clear representation of your company’s data infrastructure. It provides a record of all of the personally identifiable data points that your company processes and contains information on that data such as what type of data it is, why it is collected, and who has access to it.
For some businesses, a simple Excel spreadsheet can suffice. Article 30 of GDPR articulates the legal requirement for a data map by stating that an organization “shall maintain a record of processing activities under its responsibility”. The ideal data map should, therefore, provide a clear, transparent, auditable account of the personally identifiable information that your company collects.
For most businesses, however, a simple Excel file will quickly become unwieldy and lose utility for representing the many complex flows and relationships that exist in their data ecosystems. At this point, it’s very useful to construct a data map like an actual map, with a visual representation of the data relationships that exist in the business.
A typical data map should, at the very least, contain the information in the table below in relation to the PII that your company processes. This isn’t an exhaustive list of the information you may be required to account for, as compliance law varies between regions. It is, however, a great starting point if you’re implementing a data map for the first time in order to comply with laws like the CCPA or GDPR, or if you’re carrying out a preliminary data flow audit.
|Name of business function processing the data||A reference to the team within your company that will be using the data e.g. marketing, sales, HR, engineering etc.|
|Purpose of processing||A justification for collecting the data in the first place, what is being done with the data or the legal basis for processing it.|
|Name and contact details of joint controller||If your company is deciding the purpose for the collection of personally identifiable information, you are classified by GDPR as the ‘controller’.
If your company is processing data on behalf of another organization then you are classified as the ‘processor’.
It is most likely that your company acts as both controller and processor, but you may use other third-party processors too.
The best approach for the purposes of compliance is to record the contact details of your Data Protection Officer within your company. This person will be the go to point of contact for the data that is being recorded in your data map and there may be multiple or joint controllers across your organization who are responsible for different data categories.
|Categories of personal data||The category that the data that you are collecting falls into e.g. personal identification data, location data, health data, financial data, etc.|
|Types of personal data||The exact type of data that is being processed. e.g. name, address, email, phone number, etc.|
|Categories of recipients||This is a reference to the person or organization that will be processing the personally identifiable information e.g. your company’s customer support team, marketing team, financial controller, third party SaaS provider, etc.|
|Link to contract with processor||If the processor is internal, this can be a link to your employee guidelines on the handling of personal identifiable information. If the processor is external, this should be a link to the agreed contract – known as the Data Processing Agreement (DPA) – with that third party. The DPA contains their obligations in regard to the protection of any personally identifiable information they are processing on your company’s behalf.|
|Data format||The format of the data stored by your company i.e. digital or hardcopy.|
|The source of the personally identifiable information||How and where you are collecting any personally identifiable information from e.g. website, social media, email, telephone, paper-based forms, in-store etc.|
|Method of data transfer||The places where that data are transferred to and from e.g. physical records in-store or in the office, email, internal documentation, internal software, instant messenger, third party software, third party communication, etc.|
|Location of personal data||The digital locations of data storage e.g. database, email, instant messenger, internal documentation, etc.|
|Retention schedule||The length of time a company stores personally identifiable information for before it is erased. Is your company storing personally identifiable information on a permanent or semi-permanent basis? Ideally, data should be kept for no longer than is necessary for the purposes for which it is being processed in line with GDPR’s recommendation on data minimization.|
|General description of technical and organizational security measures||A description of the measures in place that your company uses to protect PII from unauthorized access e.g. encrypted storage, access controls, password-protected, locked filing cabinets, clear desk policy, etc.|
Step 1 – Appoint & Consult With Your Data Protection Officer
Clarify the individual within your organization that will actively update and maintain your company’s data map to ensure compliance with data protection and privacy law, i.e. your company’s Data Protection Officer.
Step 2 – The where and the what
Step 3 – Creating the full picture
Step 4 – Identifying the source
Step 5 – Defining purpose and retention schedule
|Data Type||Reason for processing||Explicit permission to process||Team(s) with access privileges||Retention period||Reason for retention period|
|Prospective customer emails||To promote our services||Yes – requested annually||Sales, Marketing||12 months||To continue to promote company services unless customer opts out before retention period expires|
|Customer phone numbers||To provide customer support||Yes – requested annually||Customer Support||As long as the individual remains a customer or 6 months thereafter||To provide support to customer and to settle account if customer leaves|
|Employment contract data||Legal purposes||Yes – requested during onboarding||HR, Recruiting||5 years||Legal obligation|
|Unsuccessful candidate resumes||For assessing fit for open positions||Yes – requested during application||Recruiting||12 months||Likely to contact candidates for future positions|
|Employee salaries||Filing company tax returns; completing payroll||Yes – part of employment contract||HR, Finance||10 years||Legal obligation, Completing payroll|
Step 6 – Keeping your company’s data secure
Finally, you should describe any technical and organizational security measures that your company has in place to protect any personally identifiable information that it processes.
You should now have a much clearer picture of the personally identifiable information that your company processes in your data map template. This is a great achievement in itself, but it’s really just the starting point when it comes to data privacy compliance.
The challenge now lies in the ongoing maintenance of your data map, ensuring that it stays up to date, and in compliance with any data protection or privacy regulations that may be applicable to your organization.
It’s important to have a Data Protection Officer assigned to maintain your company’s data map going forward as well as owners of the types or categories of data that your company processes in order to ensure clear accountability and compliance.
Hopefully, our data map template has been a valuable tool in getting you this far. If you’d like to take the protection and privacy of your company’s data to the next level, you can take a look at how Ethyca’s automated data mapping tools make quick – instant – work of the process described above.
Ethyca launched its privacy engineering meetup, P.x, where Fides Slack Community members met and interacted with the Fides developer team. Two of our Senior Software Engineers, Dawn and Steve, gave presentations and demos on the importance of data minimization, and how Fides can make data minimization easier for teams. Here, we’ll recap the three main points of discussion.
We enjoyed two great days of security and privacy talks at this year’s Symposium on Usable Privacy and Security, aka SOUPS Conference! Presenters from all over the world spoke both in-person and virtually on the latest findings in privacy and security research.
At Ethyca, we believe that software engineers are becoming major privacy stakeholders, but do they feel the same way? To answer this question, we went out and asked 337 software engineers what they think about the state of contemporary privacy… and how they would improve it.
The UK’s new Data Reform Bill is set to ease data privacy compliance burdens on businesses to enable convenience and spark innovation in the country. We explain why convenience should not be the end result of a country’s privacy legislation.
Our team at Ethyca attended the PEPR 2022 Conference in Santa Monica live and virtually between June 23rd and 24th. We compiled three main takeaways after listening to so many great presentations about the current state of privacy engineering, and how the field will change in the future.
For privacy engineers to build privacy directly into the codebase, they need agreed-upon definitions for translating policy into code. Ethyca CEO Cillian unveils an open source system to standardize definitions for personal data living in the tech stack.
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!Book a Demo