Data Mapping Best Practices
When you go on a road trip, you need to know where you’re going and how you’re going to get there. When you are building a data privacy and security program, you need to know the same things.
How to Plan Your Data Mapping Road Trip
Anyone who has used a map to plan a road trip knows there is more than one route to get you where you’re going. Some ways are faster than others, some have better views, and some are just a bad idea (driving from Iowa to Disneyland only on country roads under construction will still get you there, but probably not without a few flat tires along the way).
Building and managing compliant data privacy programs with proven best practices, or “good roads,” can save you time and money, reduce your risk of a data breach, and increase your customers’ trust in your commitment to them.
When it comes to data privacy, you need a data map.
Why you need a data map
New consumer privacy rights laws have created an urgent need for companies to understand how and why they are using the data they collect from their customers.
The European Union’s General Data Protection Regulation (GDPR) mandates that businesses have a legal basis to collect and store sensitive consumer personal information.
The United States employs a sectoral, or state-by-state approach to privacy legislation, and the state laws adopted so far mimic the provisions of the GDPR. The California Privacy Rights Act (CPRA), which will be operative beginning January 1, 2023, and the Virginia Consumer Data Protection Act (VCDPA) are moving US legal standards towards requiring a business purpose for the storage of consumer data.
A data map can help you make sure you are complying with all those requirements.
Packing the car
Packing the car for a road trip is an art as much as it is a science. You have to pack what you need for where you’re going, but you also have to prepare for what might come up while you’re getting there.
That means packing snacks, bags in case someone gets carsick, games to alleviate boredom, music to keep you awake, earplugs to block out fighting kids, and ibuprofen for when the earplugs don’t work.
Building the infrastructure and processes for your data privacy program is like packing your car for a road trip. You need to know where you’re headed (compliance!) and what you need to get there (a granular understanding of your data).
You need to know:
- What data elements, or types of data (name, address, phone number, username, password, financial data, location), you are collecting.
- Where the data came from (phone contact, online forms, messaging interfaces, etc.)
- Where, how, and how long you are storing your data (In-house? On a vendor server? In the cloud?)
- How each data element is used (in-house analytics? Customer outreach? Third-party applications like shipping management?)
How to build a packing checklist for your data
Data records play a key role across multiple business functions, so the best way to get a granular understanding of your data is to have a cross-functional team spend a day being a data record.
Working with IT, marketing, customer service, and operations teams, track a single piece of data through your entire system. Figure out all the places you are collecting data, all the types of data you are collecting, where it goes once it enters your system, who has access to it, and where it is vulnerable to breaches or corruption.
Small businesses may be able to track all this information in a spreadsheet, whereas mid-sized companies and larger companies probably need to automate the process using a software platform. But tracking this data is only half the battle.
You also need to know the rules for using it.
Rules for the road
Just like seat belt laws and speed limits, the laws that govern data privacy vary by region and sometimes by industry. But there are basic rules that provide good markers for you to follow.
Rule 1: Go backward to go forward
One of the most common mistakes people make when building a data privacy program is to silo updating their privacy and cookie notices from their data mapping process.
It’s much better to start with data mapping—you need this knowledge in place before you can develop your privacy notice.
Rule 2: Don’t use cookie-cutter solutions
Nearly all data privacy laws around the world make it risky for companies to collect more data than they need and to store it for longer than they need to because these laws give consumers the right to, for example:
- Know what information companies have collected about them
- Correct collected data that is inaccurate
- Delete data from a company’s database
- Opt-out of having their data shared and/or sold
These laws also require companies to take “reasonable security measures” to protect their data.
There are two main problems with using a spreadsheet or an off-the-shelf software solution to handle the management of your data. One is that these solutions don’t take your company’s unique challenges into account, and the other is that implementing any tracking tool requires an understanding of privacy laws and risks.
One example—privacy laws don’t really specify what “reasonable security measures” look like, and there are different fines and penalties associated with which types of data are exposed if your reasonable security measures get hacked.
But if your business and the email marketing company are using the same software solution, they may recommend the same security measures. Even scarier, if you’re only using Google Sheets, you’re on your own to figure out what a reasonable security measure looks like.
Hiring a privacy consultant or fractional privacy officer who is an expert in identifying and resolving privacy risks can protect you from mistakes your DIY or off-the-shelf program might not catch.
Rule 3: Don’t make a map and then not use it
What’s the point of asking Siri for directions if you don’t listen to the answer?
As we mentioned earlier, data privacy isn’t the responsibility of just IT or just marketing or just customer service or just legal.
Data privacy is the responsibility of every single person in your organization.
Another common mistake companies make in putting their data management program together is to let one team develop the data collection and storage protocols while a totally separate team develops the processes consumers use to file individual rights requests or data subject access requests (DSARs).
If these teams aren’t talking to each other, your consumer-facing protocols may not match up with your internal systems. Even though you were trying to do the right thing in creating these processes, isolating the two development processes creates a mismatch that will make more work for you, expose your data to a higher risk of exposure, and confuse your customers.
Just like with a road trip, the map comes first. Once your data map is finished, your whole team will be able to see the best route for employees and customers to take when interacting with your data assets.
Rule 4: Don’t forget to change your oil
No one wants to be that person stuck on the side of the road, holding up the hood of the car and staring down at a smoking engine while screaming kids standing in the tumbleweeds throw Goldfish crackers at each other.
Your car needs regular maintenance to be able to perform, both on trips to the grocery store and trips across the country.
A data privacy program is like a car—it needs regular checkups to run smoothly.
If you can update your privacy plans once a year, it will be exponentially easier to stay compliant with changing laws and best practices.
We can be your privacy mechanic
At Red Clover Advisors, we believe in the power of data privacy to manage to build trust, give more value than you take, and create great experiences. If you need help drawing or following your data map, we can help. Give us a call today to get started.