The Basics of Data Privacy
Whether you're just getting started or are an experienced professional, this guide provides an easy-to-understand overview of the fundamentals of data privacy regulation and compliance.
Whether you're just getting started or are an experienced professional, this interactive, visual guide provides and easy-to-understand overview of the fundamentals of data privacy regulation and compliance.
What is a Data Map or Data Inventory?
A data inventory (sometimes referred to as a data map or data mapping), is a comprehensive catalog of data assets held by an organization. A well-maintained data inventory includes up-to-date and detailed information regarding the data, as well as the source of the data within the organization. A data inventory must contain not only the details regarding data, but also explain its use in conjunction with other data. Other elements of a data inventory could include:
- Information about data types (such as personally identifying information, health data, financial data, or other types of sensitive data)
- How the data was obtained (from a transaction, consumer opt-in, partner or vendor data, etc.)
- How the data is used, meaning its purpose to the business
- Who has access to the data
- Data retention or disposition requirements (although these are often part of data retention policies and procedures)
Learn how to build a defensible data inventory for your organization, download now.
How Are Data Inventories Used?
An up-to-date data inventory allows organizations to operate more efficiently, improve the accuracy of their reporting, mitigate risk, and meet privacy and compliance obligations by identifying where data lives in the organization. Privacy regulations such as the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and the EU’s General Data Protection Regulation (GDPR) provide additional rights to consumers over the collection, sharing and usage of their personal data--as do more recently passed laws like those in Virginia, Colorado, Utah, and other states.
To comply with these regulations, organizations must be able to identify individuals’ data, provide, remediate, or delete it on-demand, and vouch for third part vendors’ ability to do the same. A data inventory (or map) is critical to accomplishing that. A data inventory is, in practical terms, the foundation upon which all of an organization's privacy compliance program rests.
Stay up to date with changing privacy laws across the United States, download now.
Why Is It Important to Have a Data Inventory?
Data lives across all areas of all different departments: legal, IT, marketing, services, sales, and human resources—just to name a few. And of course data is stored in an equally wide range of formats--in emails, Word documents, spreadsheets, and data bases--and even in the cloud. Often, that data is dark or rogue data that isn’t easy to find or categorize, or that individuals may not even know exist! In cases like those, organizations may have to undertake a much more technology-focused data discovery process to uncover all the data it needs to be aware of across the entire organization.
One of the most important reasons to have an accurate data inventory is that it’s nearly impossible for an organization to be sure they’re complying with any law or regulation regarding their data if they don’t have an up-to-date and well-maintained data inventory. With potential non-compliance penalties of up to 2% of global revenue under GDPR, the failure to create and maintain a data inventory can be far more costly than the expense of investing in completing one. Completing a data inventory can help reveal how risky an organization’s storage practices are, and potentially unveil new risks as well.
A data inventory provides an excellent return on investment by giving organizations several abilities it might not otherwise have.
- It shows organizations what data they have, including dark data that may not have been widely known to exist.
- It allows organizations to identify which sources of data are trustworthy.
- It allows organizations to see where they have data that is sensitive or subject to regulatory or policy controls.
- It allows organizations to identify data that has value but is not being used or monetized effectively.
- It allows organizations to identify data that poses risks that are not commensurate with its business value.
- It allows organizations to see data that is subject to other controls such as a legal hold or investigations.
- It helps inform roles and responsibilities, so the organization can make intelligent business decisions about how to maximize the value of the data and minimize risks without interfering with investigations and legal processes or violating any regulations or policies.
e-Book: How to Build a Data Inventory at your Organization, read now.
Challenges of Creating and Maintaining Your Data Inventory
Since an accurate data inventory is the foundation of compliance with all data privacy regulations, it is imperative to build and maintain it the right way. Data mapping is complex and challenging, and there are pitfalls that organizations need to avoid. Data inventories demand significant time, energy, and financial investment, so managing data inventory projects and programs efficiently is essential. Below are four common challenges and shortcomings associated with data mapping and how they can be mitigated.
Too Time Consuming
Many organizations that begin the process of developing a data inventory experience a project failure due to the extreme amount of time it takes to finish the process. But that doesn’t have to be the case—there are ways to significantly ease the data mapping burden: It starts by defining a process for gathering information. In most cases, systematic interviews with data stewards are the most efficient way to collect info for a data map. Using simple and template-based questionnaires or leveraging systems that can automate the interviews so that follow ups, reminders and update questionnaires can be pre-scheduled and responses automatically logged are effective ways to gather this type of information.
An Incomplete Data Inventory
Perhaps the most common mistake organizations make with data maps is that they omit important information and therefore render the data map far less useful than it should be. Remember that the purpose of the data map is to be able to find data when requested wherever it may be in the organization, and that an incomplete data map means that it’s possible that a request to find all data is not able to be totally fulfilled.
While surveying data owners is critical to success, it should not be the only way organizations gather information for their data inventory. Data sources may exist that no one in the organization knows about or remembers because their owners have left the organization or transferred into another position. Data discovery technology can help uncover personal data wherever it is held--in structured or unstructured, on premise, cloud or hybrid data sources.
Accounting for All Data Sources
For a data map to be effective, it has to be comprehensive. In today’s digital world, that means it must account for things like mobile devices and cloud-based applications, including social media, since data from these sources is increasingly being sought in litigation. It is critical to identify how and by whom these sources are used and any relevant data that may exist on them, including things like customer service records, marketing materials, personal or sensitive information, etc.
Updating the data inventory
Think of a data map as a product, not a project. Like a product, it should be constantly evaluated, updated and assessed for quality. Failing to take this approach usually results in a data map becoming outdated before it provides any real value to an organization. It’s also important to build the inventory in a way that is easily accessible and helpful to those who use it. Massive spreadsheets or diagrams that don’t integrate to all data sources make it difficult to effectively respond to requests for data— and difficult to identify when a new data source has been created.
Overcome the challenges to building a data inventory, download now.
The Case for a Comprehensive Data Mapping Strategy Led by Legal
The 2023 ACC Chief Legal Officer Survey found that data privacy, along with regulatory compliance and cybersecurity, are the top issues facing businesses today--and increasingly CLOs, and their legal departments, are tasked with ensuring that data is managed to comply with legal requirements surrounding retention, litigation, and cybersecurity. However, in many cases, this task still falls to IT departments. This is not ideal, because IT may not be well-versed in the rules and requirements surrounding the management of certain types of data.
Since regulatory compliance fulfillment is not led by IT, unless there’s a dedicated IT professional that understands these requirements and works with Legal, the amount of time spent back and forth to educate both teams on the regulatory and technical components of compliance can become a time-consuming endeavor.
Brett Tarr, a Senior Manager for law firm Ernst & Young, says that it’s imperative for Legal to quarterback an organization’s data management strategy.
If Legal helps guide direct conversations, measure risks, and ensure that data is tracked in an up-to-date, accurate data inventory to support the preservation, collection, production, and other requirements, the entire enterprise should benefit.
Read the 2023 ACC Chief Legal Officer Survey, download now.
Getting Started on a Data Inventory
Understanding how different business units plan to interact and use the data inventory will help guide the information gathering process and make building the map far more efficient. Your data inventory isn't just an archive; it should allow you to answer specific questions about the data your organization holds. Take a moment to consider each of these questions. These are "must know” elements of an effective data inventory. Your organization’s data privacy officers should be able to answer each of these questions with a “yes.”
Common Questions
- Is it easy to filter and identify the inventory contents based on any parameter, including regulatory statutes?
- Is it easy to update, maintain, and ensure that the inventory contents are accurate?
- Is the data able to be identified by record type, regulatory standard, and other variables?
- Can you easily understand the context in which the data is collected and/or used?
- Does it document all your organization’s data?
- Does it include information held by third parties that collect, store and use data on your behalf?
- Can you identify classes of data subjects by how they interact with your business?
- Can you identify where data related to various business processes is stored?
- Can you identify the relationships between business processes and the data they use or produce?
- Can you identify the collection methods of that personal information?
- Can you provide documented, specific proof of consent for data that is collected from consumers?
Automating Your Data Inventory/Map with Technology
A modern, enterprise-class data inventory is a resource that identifies all of your organization’s data and organizes it in a single platform. But deriving the most benefit from that inventory requires organizations to be able to act on that data effectively. The inventory must include or connect to a library of regulatory laws regarding retention, and guidelines for making informed decisions when choosing to remediate or take other action on your data. With a data inventory built in this way, data stewards are able to visualize all relevant data in one location, rather than having to seek out and hunt down disparate pieces of information from what could be hundreds of thousands of different shared drives, hard drives, or file cabinets across an organization.
Choosing the right partner to help you build this inventory is critical. It often is the difference between projects lasting one month and ones that last six months to a year or more. The right partner will help your company properly scope the project to ensure that organizational expectations for your data inventory are met. This usually includes access to customizable process templates, so you can leverage their expertise in the market, guidance on how to account for regulatory and corporate retention policies, and in-depth assistance to ensure the timely completion of the project. An accurate, up-to-date data inventory can streamline business processes, mitigate potential privacy regulatory risks, and inform sound, defensible data retention polices and procedures, so that all stakeholders are happy with the result.