Data subject access requests (DSARs), records of processing activities (RoPAs), vendor risk management, a dozen other data privacy compliance requirements—all of them depend upon or are significantly facilitated by a map of the personal information your organization processes.
But there’s no hard and fast requirement for a data map in the GDPR, CPRA, or any other data privacy regulation. As a result, many privacy professionals don’t think to investigate data mapping until they start diving into the day-to-day work of their privacy program. After weeks of interviews, dozens of emails, and a labyrinth of spreadsheets, they realize that they need an automated tool.
But as is always the case, not every tool is made equal. Some are inefficient; some substitute the work of manual data mapping with more work of a different kind; some just create yet more work for a privacy professional.
To help privacy professionals spot tools that are more trouble than their worth in advance, we’ve identified five red flags to watch out for in an automated data mapping tool.
1. Leaves You Reliant on Data Scientists
Data mapping isn’t unique to data privacy. Knowing where organizational data lives and what types of data are available is important for a wide variety of projects. That might include:
- Improving supply chain management and logistics functions.
- Identifying bottlenecks in the customer journey.
- Finding valuable targets for marketing campaigns.
- And (often at the bottom of the totem pole) identifying stores of personal information and their associated compliance risk.
There's a wide variety of tasks that a data scientist can accomplish, but usually, the business wants them to conduct analyses that translate directly to dollars and cents. When privacy professionals need to rely on data scientists to map the organization’s data for compliance purposes, they’ll often find that compliance tasks are de-prioritized in favor of revenue generation.
Making a persuasive business case for your privacy program can mitigate this to a degree, but the reality is that data scientists are always going to be an in-demand resource at any organization. If your automated data mapping tool is owned and operated by the data science function, your privacy program will always be steps behind, and your organizational compliance posture will never be where you want it to be.
2. Paints Automation as Magic
Software can do a lot of things, but magic isn’t one of them. Invariably, an automated data mapping tool will run into edge cases, exceptions, and instances where manual effort is required. Consider how you’ll map data from:
- Air-gapped systems.
- Proprietary and/or niche systems.
- Systems that store unstructured data.
- And others.
In 1955, psychologists Joseph Luft and Harrington Ingham coined the term “unknown unknowns”; that is to say, issues that you aren't aware of and which you lack insight into. Unknown unknowns always appear, and the hallmark of a good tool is being prepared to handle them.
For the “unknown unknown” stores of personal data at your organization, it’s essential that your tool provides a way to facilitate discovery and streamline manual mapping efforts.
When automated data mapping tools make no mention of how they facilitate necessary manual work, they also tend to have a very narrow definition of “automation” and a very narrow scope. For example, an allegedly “automated” data mapping solution might automate just the discovery of personal data stores and not the metadata labeling and tagging that makes downstream compliance activities possible.
3. Lacks a Means of Prioritization
Whether you use an in-house automated data mapping tool or a third-party tool, a common issue that privacy professionals run into is being inundated by data stores that need to be investigated. Because data privacy compliance is an ongoing process, new data stores will be added to your data map all the time. Not all of these data stores pose the same level of risk. Some might not be involved in downstream data transfers, for example; they might not store sensitive data; or they might not store large volumes of data.
Some automated data mapping tools present these data stores as equally important. That means you’ll have to spend time manually investigating low-risk data stores while stores that actually pose a high risk remain unmitigated.
But in reality, it isn’t too much to ask for an automated data mapping tool to estimate the level of risk posed by one data store or another. It’s possible to assess the number of exports to vendors, the number of connected systems, the number and types of data fields scored, the number of identities handled, and so on to estimate high-risk versus low-risk data stores.
4. Requires Redundant Analysis
Since your organization’s data landscape is perpetually changing, you’ll need to use your automated data mapping tool to scan for data stores on a regular basis. When you do, you won’t want to have to wade through a backlog of data stores you’ve already investigated and evaluated as being irrelevant.
Not everything that’s capable of holding personal information will actually do so. Or sometimes you’ll find data stores that require no further action. The right tool will provide quality-of-life capabilities that allow you to flag certain data stores as irrelevant, so you don’t waste unnecessary team re-reviewing something that doesn’t affect compliance.
5. Doesn’t Enable Downstream Compliance Activities
Non-privacy-focused data mapping tools are often guilty of this, but even some tools meant strictly for privacy professionals suffer the same flaw: They don’t make it easy to actually do anything with your data map.
There isn’t a law that specifically says you need to have a data map for your organization. However, a myriad of regulatory requirements depends upon or are made significantly less tedious with a data map, such as:
That’s why the best data mapping tools for privacy professionals are integrated into an overall compliance platform.
Take Osano for example. Privacy professionals who use Osano as their automated data mapping tool can easily use discovered data for DSARs, to populate their RoPAs, and to quickly filter and search through data stores and associated metadata to identify redundancies, unneeded data, and data stores that are potentially responsive to a DPIA.
In fact, Osano passes all of the tests we described in this article—it:
- Enables you to bypass the data scientists.
- Streamlines unavoidable manual workflows.
- Calculates risk and effort, enabling you to prioritize your work.
- Lets you ignore or set aside data stores for future review.
- Connects your data map to a library of tools that a privacy professional needs to accomplish their job more efficiently and effectively.