Guidelines for Data Maps and Data Inventories

BCLP
Contact
LinkedIn
Facebook
X
Send
Embed

Knowing the type of data that you collect, where it is being held, with whom it is being shared, and how it is being transferred is a central component of most data privacy and data security programs. The process of answering these questions is often referred to as a “data map” or a “data inventory.”

Although the questions that a data map tries to solve are relatively straightforward, the process of conducting a data map can be daunting depending upon the size and structure of an organization. In addition, it is important to remember that data constantly changes within an organization. As a result, organizations must consider how often to invest the time to conduct a data map and, once invested, how long the information will be useful. The following provides a snapshot of information concerning data maps: 

No. 1 

Maintaining a data map was ranked as the number one priority by privacy officers.1

100%

The percentage of companies that identified maintaining a data map as relevant.2

33%

The percentage of companies that have a data map.3

17%

The percentage of companies that have a data map and use it to track the flow of data between systems.4

What you should think about when deciding whether to conduct a data map or a data inventory:

  1. Which departments within your organization are most likely to have data?
  2. Who within each department would you need to speak with to find out what data exists?
  3. Is it more efficient to send the relevant people a questionnaire or to speak with them directly?
  4. What is the best way to receive information from each person in the organization that collects data so that the information provided can be organized and sorted with information received from others?
  5. How much time will it take to complete the data map?

What information should you consider including in your data map:

  1. The types of data collected.
  2. Where the data is physically housed (g., the building or location).
  3. Where the data is logically housed (g., the electronic location within a server).
  4. Whether encryption is applied to the data in transit (e., when it is moving). If it is, what encryption standard is being used?
  5. Whether encryption is applied to the data at rest (e., when it is being stored). If it is, what encryption standard is being used?
  6. The custodian of the data (e., who is responsible for it).
  7. Who has access within the organization to the data.
  8. Who has access outside of the organization to the data.
  9. Whether the data crosses national boundaries.
  10. The retention schedule (if any) applied to the data.

1. Nymity, Privacy Management Program Benchmarking and Accountability Report, (2015), https://www.nymity.com/data-privacy-resources/data-privacy-research/privacy-management-benchmarking-report.aspx.

2. Id.

3. Id.

4. Id.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BCLP | Attorney Advertising

Written by:

BCLP
BCLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

BCLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide