Posted In: Cybersecurity & Data Privacy & Cybersecurity & Data Privacy
on November 4, 2020
Businesses collect data for a number of reasons, including providing services or products to customers, improving those services or products, and marketing those services or products to existing and potential customers. Knowing what data you have and where it goes is increasingly important as more and more privacy and data security laws are passed. This is where data mapping comes into play.
What is Data Mapping?
In its simplest form, data mapping is the process of evaluating what data you collect, where it is stored, and who has access to that data both internally and externally. While that process sounds relatively straightforward, evaluating the flow of data from the point of collection through its usage and eventual disposition can be daunting and time consuming, particularly for businesses that collect a large amount of data. A complete data map should identify: (1) what data is collected and the sources of that data; (2) all the locations where that data might be stored; (3) all the uses of the data and who has or needs access; and (4) what data is disclosed, shared, or sold to third parties.
The particulars of a data mapping exercise will vary depending on the structure of your organization; however, data mapping will typically involve contributions from multiple operational groups including legal and compliance, information technology, and communications and marketing. Although it may seem overwhelming upon initial consideration, you will find that partnering with individuals experienced in this area will help simplify the process and allow your organization to realize the benefits of data mapping.
Why is Data Mapping Important?
Data mapping can provide a number of significant benefits and advantages to your organization. In addition to enhanced record-keeping practices, data mapping allows businesses to:
- Identify what data they collect and whether there is a business need for that data. Businesses should pay particularly close attention to any data that might be considered personal information under any applicable laws. Names, physical address, and birthdates are obvious examples of personal information. Some less-than-obvious examples of data that may be considered personal information include: geolocation data, browsing and search history, internet protocol (IP) addresses, and biometric data to name a few. Many businesses may discover that they collect more data than they realize and retain that data longer than necessary.
- Identify security vulnerabilities. The flow of data both internally and externally allows businesses to evaluate potential weak points in their security procedures and to take action to improve security before it is too late. Many laws require businesses to create and implement reasonable security procedures to protect personal information, and data mapping should be one of the first steps in that process.
- Comply with applicable privacy and data security laws. Understanding what data you collect and the flow of that data allows businesses to assess their compliance with any applicable privacy and data security laws. For businesses that practice in multiple states or internationally, having an up-to-date data map will help ensure that certain data covered under an applicable law is not inadvertently over-looked.
Data mapping will create a comprehensive and detailed view of your business, ultimately increasing efficiency in all aspects of your operations. The benefits of data mapping shouldn’t be ignored. Companies that have employed data mapping practices are realizing the savings from it and gaining a competitive advantage in their respective markets. Although data mapping is resource-intensive and will require hands-on review and knowledge about the flow of data, your organization does not have to go through the process alone.
How Brouse Can Help
Brouse McDowell’s Cybersecurity and Data Privacy Practice Group can provide the guidance and tools you need to create a data map for your business. We can assist in every step of the process including evaluating your organization’s data collection, storage, access, and disposition. Along with providing insight to your business regarding best practices for data processing, we provide proactive solutions for companies to defend against cyber attacks and related threats. Our cybersecurity team offers a variety of data privacy and cybersecurity services, including pre-breach and cybersecurity planning, cybersecurity and data privacy transactional services, data regulatory compliance services, breach response and disclosure obligation services, cyber liability insurance review, and any related litigation issues regarding cybersecurity and data breaches (investigation, defense, insurance recovery and response). Please contact us for more information and to learn how we can partner with you.
This blog is intended to provide information generally and to identify general legal requirements. It is not intended as a form of, or as a substitute for legal advice. Such advice should always come from in-house or retained counsel. Moreover, if this Blog in any way seems to contradict advice of counsel, counsel's opinion should control over anything written herein. No attorney client relationship is created or implied by this Blog. © 2024 Brouse McDowell. All rights reserved.