By Tim Rollins
We've come a long way from the time when "data mapping" was a dirty word in e-discovery. But as data becomes more dispersed and voluminous across organizations, having a centralized resource for quickly identifying where certain electronically stored information (ESI) resides is extremely valuable. FOIA and public records requests can be fulfilled more efficiently if there are accurate, up-to-date data maps in place.
And with GDPR in effect and CCPA on tap, both subject access requests (SARs) and requests for erasure (or "to be forgotten") demand that organizations know where to find all data linked to an individual--and provide or remediate it--in short order. In an Exterro and Yerra Solutions webinar, GDPR Is Here. Now What?, experts Taylor Hoffman of Swiss Re and Will Wilkinson of Yerra solutions agreed, "Data mapping is the absolute fundamental response to so many of their requirements under the GDPR. You can't respond to a SAR without having done a data map and knowing where your data is."
Nonetheless, data mapping is complex and challenging. Many companies start data mapping projects only to abandon them before completion. So what makes data mapping so difficult? Here are four common challenges and shortcomings associated with data mapping and how they can be mitigated.
Too time consuming to build a data map
Any time a company seeks to map their entire data environment the work involved is going to be immense. However, there are ways to significantly ease the data mapping burden. It starts by defining a process for gathering information. In most cases, systematic interviews with data stewards are the most efficient way to collect info for a data map. These interviews should be simple and template based so that responses can be quickly interpreted and immediately incorporated into the overall plan. Leverage systems that can automate the interviews so that follow ups, reminders and update questionnaires can be pre-scheduled and responses automatically logged. It also helps to start with what you know and build out. IT teams are responsible for managing a company's data environment for operational purposes, so they will have a lot of useful information that can be used as a starting point.
Impossible to keep a data map up to date
Think of a data map as a product, not a project. Like a product, it should be constantly evaluated, updated and assessed for quality. Failing to take this approach usually results in a data map becoming outdated before it provides any real value to the company. As mentioned above, having a defined, automated process can keep information coming in on a more consistent basis so that it doesn't feel like every update has to be its own time-consuming project. Another way to ensure the data map stays updated is to make sure that it is fully integrated with the company's HR and asset management systems so that the map reflects current employee and systems information.
Incomplete information to build a data map
A common mistake organizations make with data maps is that they omit important information and therefore render the data map far less useful than it should be. Before any data mapping initiative gets off the ground, project organizers should assemble all the key stakeholders and gather feedback on what information needs to be included. For example, a company's general counsel will want to make sure the data map includes retention schedules, litigation risk profile and accessibility constraints of particular data sources. Meanwhile, a chief privacy officer will likely want to know which data sources contain sensitive customer information that must be carefully protected. Understanding how different business units plan to interact and use the data map will help guide the information gathering and make the process of building the map far more efficient.
Not possible to build a comprehensive data map
For a data map to be effective, it has to be comprehensive. In today's digital world, that means it must account for things like mobile devices and cloud-based applications, including social media, since ESI from these sources is increasingly being sought in litigation. It is critical to identify how and by whom these sources are used and any relevant ESI that may exist on them (customer service records, marketing materials, etc.). In the case of mobile devices, it's important to identify any relevant data that is specific to the device versus that which can be accessed from a more traditional ESI source, such as an email server. When it comes to mapping social media use, it's imperative that the information be updated on a regular basis since usage trends tend to evolve very rapidly.
While data mapping is a crucial component of compliance with existing and soon-to-arrive data privacy regulations, it's not the only one. Learn more about the challenges facing governmental agencies in our upcoming webcast The Results are In...Top E-Discovery & Records Request Challenges for Government.