Why data mapping is important

Understanding your data flows is a foundational step for all privacy, security, and data governance efforts.

Post Main Image

Understanding your data flows is a foundational step for all privacy, security, and data governance efforts. Despite this, companies sometimes fail to prioritize data flow mapping and jump straight to implementation efforts before gaining a full understanding of the data they process. This post explains some key data flow mapping related terms and why data flow mapping should be a first step for all privacy and security programs.

First, what do we mean by data flow mapping? When we say “data flow map” we mean a graphical representation of data flows, including where data is collected from, what it is used for, where the data flows, whether it is shared, and how long it is retained. Done well, the graphical map is augmented with further information, such as data classifications, retention, identified risks, and more. A map is more than just a data inventory or record of your processing activities; while it may include the same basic information found in each of these, the key differences are the graphical element and the emphasis on where and how data moves through your environment.

Many companies faced with a new privacy compliance mandate are tempted to jump straight to the affirmative requires, like a new privacy notice, or implementing new data subject rights. This can cause them to overlook the important foundational step of developing comprehensive data flow maps. This is a mistake as your data flow maps should help inform every other decision related to security, privacy, and data management. While most U.S. laws do not have affirmative data mapping (or even data inventory) requirements similar to Article 30 of the GDPR, the data mastery privacy laws require makes mapping your data a practical requirement.

Among other benefits, data flow maps:

Help define your compliance and risk profiles: The exercise of data mapping and the resulting maps will cause you to consider all your processing activities, as well as the data subjects involved and what their data is used for. Since privacy obligations follow the data and what it’s used for, seeing how data flows through your organization helps establish what laws and obligations apply.

Break down silos and fill gaps: Frequently, divisions within companies have their own areas of responsibility and knowledge. Sometimes, there are gaps between what each division knows about and protects. Mapping your data highlights the areas that could otherwise get neglected, like handoffs between departments. Data flow mapping efforts also frequently uncover risky shadow IT.

Design a tailored privacy program: Data flow maps often highlight how data is used differently across different functions. For example, in the U.S., a company might have some highly regulated functions under one privacy regime and marketing functions under another. Seeing this on a map can help you determine how to allocate privacy resources. For example, a company may decide it needs a HIPAA compliance officer and a marketing privacy representative. Seeing data flows and hot spots can help you determine the best points for privacy controls and resources.

Foster internal discussion and collaboration: Good data flow maps distill knowledge from across your organization. Frequently, this information comes from individuals with deep knowledge of the systems they use or maintain, and very little knowledge of other systems. When it’s necessary to have discussions that cross these knowledge boundaries, it can be time consuming and difficult to get everyone on the same page for discussion. Having a company-wide source of truth in the form of data flow maps can jump-start discussion and collaboration.

To explain your processes to outsiders: Explaining your data flows to outsiders is even more difficult. Whether for good reasons or bad, most companies will sometimes be required to explain their processes to outsiders. This could be in the context of due diligence in a merger or acquisition, or as a potential vendor to another company. Other times, when things go wrong, a company could be required to explain itself to regulators or litigants. Data flow maps can tell your story and present your processes to help you tell your organization’s story.

Track data provenance and permissions: Companies are awash in personal data and nowadays all personal data is subject to usage restrictions. Whether you’re restricted by your privacy notice at the time of collection, a contract with another party, or some other provision of law, it’s both important and difficult to track all the permissions associated with data. By offering a step-by-step view of data flows and processing activities, good data flow maps allow traceability back to collection so you can tell what you are permitted (or not) to do with the data entrusted to you.

Build and enforce retention policies: Most data privacy laws place at least an implied limit on how long data can be retained, or at the very least an obligation to describe retention practices in privacy notices. Retention and deletion schedules are a frequent gap area for many companies. Graphical maps can show where your data moves to and is stored. You know the data lifecycle is not over until the information is safely and appropriately deleted, returned, anonymized, or archived. Good data flow maps also illustrate the processes data is used for and how long data is needed, so maps can be helpful both for building realistic retention and deletion policies and enforcing them.

To build new processes: All policies and procedures need to be updated from time-to-time. Sometimes, this includes for privacy compliance, such as establishing Data subject rights ("DSR") responses for access, correction, deletion, and others. In the case of privacy-specific needs, such as building DSRs, data flow maps are your roadmap to where you must provide access, deletion, correction, or other rights. For all processes, data flow maps make it easy to build your new processes in a way that is mindful of the context in which they operate.

Wherever you are in your privacy efforts, having a clear, concise, accurate, and explainable map of your processing activities supports everything else you need to do.