What is a Data Map or Data Inventory?
A data inventory (sometimes referred to as a data map or data mapping), is a comprehensive catalog of data assets held by an organization. A well-maintained data inventory includes up-to-date and detailed information regarding the data, as well as the source of the data within the organization. Built correctly, a data map can provide important insights into the types of data an organization collects, where it is, who has access to it, and how that data is being used.
A data inventory must contain not only the details regarding data but also its use in conjunction with other data. For example, explaining what type of data it is, who uses it, and how it’s used throughout the organization.
How is Data Mapping Used?
The use of data mapping allows organizations to operate more efficiently, increase reporting, mitigate risk, and meet privacy and compliance obligations by identifying where data lives in the organization. Privacy regulations such as the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and the EU’s General Data Protection Regulation (GDPR) provide additional rights to consumers over the collection, sharing and usage of their personal data. To comply with these regulations, organizations must be able to identify individuals’ data, provide, remediate, or delete on-demand, and vouch for third part vendors’ ability to do the same. A data map is critical to accomplishing that.
Why is it Important to Have a Data Inventory?
Data lives across all areas of all different departments: legal, IT, marketing, services, sales— everywhere. Often, that data is dark or rogue data that isn’t easy to find or categorize. But it’s nearly impossible for an organization to be sure they’re complying with any law or regulation regarding their data if they don’t have an up-to-date and well-maintained data map. Prioritizing the data map can help reveal how risky an organization’s storage practices are, and potentially unveil new risks as well.
A data inventory is valuable in a number of ways, and should be a helpful tool in compliance.
- It shows us what data we have, including dark data that may not have been widely known to exist.
- It allows us to identify which sources of data are trustworthy.
- It allows us to see where we have data that is sensitive or subject to regulatory or policy controls.
- It allows us to identify data that has value that is not being utilized/monetized.
- It allows us to identify data that is risky and not commensurate with that risk.
- It allows us to see data that is subject to other controls such as a legal hold or investigations.
- It helps inform roles and responsibilities so the organization can make intelligent business decisions about how to maximize the value of the data, minimize risks without interfering with investigations and legal processes or violating any regulation or policies.
I think organizations need to take an active approach to data management, and usually that includes a really robust data disposition plan and includes as much automation as possible,
The point of the data map is to really be able to quickly find and preserve responsive data, where your contracts are stored, where your emails are stored, where your accounting records are stored, etc.
This is an ever-growing problem...
With the large amount of data we’re easily storing in the cloud, or sending back and forth in different collaboration tools, the volumes are just growing and growing. And we still have all the other things, like Google Drive and Dropbox, that we were using before. Knowing where this data lives and how to access it for investigative and litigation purposes is imperative.
Challenges of Creating and Maintaining Your Data Inventory
Since all of the questions surrounding compliance to data privacy regulations start with the organization’s data map, it needs to be built the right way. Data mapping is complex and challenging—and there are pitfalls to avoid. It’s a big focus in terms of time and resources, so doing it efficiently is key. Below are four common challenges and shortcomings associated with data mapping and how they can be mitigated.
Too Time Consuming Many organizations that begin the process of developing a data inventory experience a project failure due to the extreme amount of time it takes to finish the process. But that doesn’t have to be the case—there are ways to significantly ease the data mapping burden: It starts by defining a process for gathering information. In most cases, systematic interviews with data stewards are the most efficient way to collect info for a data map. Using simple and template-based questionnaires or leveraging systems that can automate the interviews so that follow ups, reminders and update questionnaires can be pre-scheduled and responses automatically logged are effective ways to
An Incomplete Data Inventory. Perhaps the most common mistake organizations make with data maps is that they omit important information and therefore render the data map far less useful than it should be. Remember that the purpose of the data map is to be able to find data when requested wherever it may be in the organization, and that an incomplete data map means that it’s possible that a request to find all data is not able to be totally fulfilled.
Accounting for ALL Data Sources. For a data map to be effective, it has to be comprehensive. In today’s digital world, that means it must account for things like mobile devices and cloud-based applications, including social media, since data from these sources is increasingly being sought in litigation. It is critical to identify how and by whom these sources are used and any relevant data that may exist on them (customer service records, marketing materials, etc.).
Updating the data inventory. Think of a data map as a product, not a project. Like a product, it should be constantly evaluated, updated and assessed for quality. Failing to take this approach usually results in a data map becoming outdated before it provides any real value to an organization. It’s also important to build the inventory in a way that is easily accessible and helpful to those who use it; in other words, massive spreadsheets or diagrams that don’t integrate to all data sources makes it difficult to effectively respond to requests for data— and difficult to identify when a new data source has been created.
The Case for a Comprehensive Data Mapping Strategy Led by Legal
Exterro’s 2020 In-House Legal Benchmarking Report found that a majority of organizations task IT (54%) with ensuring that data is managed to comply with legal requirements surrounding retention, litigation, and cybersecurity. Surprisingly, only 17% of Legal departments say this duty is in their hands; this is not ideal, because IT may not be well-versed in the rules and requirements surrounding the management of certain types of data. And since regulatory compliance fulfillment is not led by IT, unless there’s a dedicated IT professional that understands these requirements and works with Legal, the amount of time spent back and forth to educate both teams on every side of the puzzle becomes a time-consuming endeavor.
Brett Tarr, a Senior Manager for law firm Ernst & Young, says that it’s imperative for Legal to quarterback an organization’s data management strategy.
I think starting with Legal is probably pretty prudent because ultimately, the burden for managing violations in discovery, in privacy, and other regulatory compliance falls upon Legal,
Really, the buck stops there and Legal needs to be, if not the, then certainly one of the leading voices in understanding the risk and quantifying it for the organization. That leads to a process where you understand, organize, and manage enterprise data based on the requisite risk that each type of data creates.
Everything else that falls from there starts with making sure we can meet our legal obligations, and ensure we’re not creating additional risk for the organization. Logically, your next steps then come into the length of time that information is useful, and how to go about building in retention requirements, along with remediation and disposition.
If Legal is able to serve as guideposts to help direct conversations, measure risks, and ensure that data can be mapped to support the preservation and collection response requirements, the entire enterprise should benefit,
The Basic Steps to Develop a Data Inventory
Understanding how different business units plan to interact and use the data map will help guide the information gathering and make the process of building the map far more efficient. Your data inventory should allow you to answer questions about your data. Take a moment to consider each of these questions to be “must know” pieces of information that your organization’s data privacy officers should have positive, “yes” answers to the following:
- Is it easy to filter and identify the inventory contents based on any parameter, including regulatory statutes?
- Is it easy to update, maintain, and ensure that the inventory contents are accurate?
- Is the data able to be identified by record type, regulatory standard, and other variables?
- Can you easily understand the context in which the data is collected and /or used?
- Does it document all your organization’s data?
- Can it include information held by that collect, store and use data on your behalf?
- Can you identify classes of data subjects by how they interact with your business?
- Can you identify where in your business process related data is stored?
- Can you identify the relationships between business processes and data?
- Can you identify the collection methods of that personal information?
Automating Your Data Inventory/Map with Technology
A modern, enterprise-class data inventory, put simply, is a central location for identifying all of your organization’s data—neatly identified and organized in a single platform—that must include a library of regulatory laws regarding retention, and guidelines for making informed decisions when choosing to remediate or otherwise take action with your data. Built in this way, data stewards are able to visualize all relevant data in one location, rather than having to seek out and hunt down disparate pieces of information from what could be hundreds of thousands of different shared drives, hard drives, or file cabinets across an organization.
Choosing the right partner to help you build this inventory is critical: It often is the difference between projects lasting 30 days or six to 12 months or more. The right partner will help your company properly scope the project to ensure that organizational expectations for your data inventory are met. This usually includes access to customizable process templates that help leverage their expertise in the market, guidance on how to account for regulatory and corporate retention policies, in-depth assistance to ensure a quick and timely completion of the project, so that all stakeholders are happy