Imagine yourself as a digital frontiersman traveling across cyberspace into all the different websites you visit, leaving behind an echo of your travels. Like an explorer of the 1700s, your personal data does the same thing, leaving its mark on all the internet islands. But we must beware of pirates!
As a business, you must map your crew’s voyage (data subjects) across your network, ensuring the data has a safe journey and free of any would-be borders.
Personal data mapping is now a requirement for your organization if you wish to comply with either the GDPR or the CCPA. And in this article, we will take you through what a personal data map is, what to include, and how to construct a basic one.
Personal Data Mapping
Personal data mapping is a form of data inventory that will only include the personally identifiable information (PII) of your data subjects or consumers. Data subjects are a term within the GDPR that simply refers to producers of personal data that could come from customers, service users, business partners, residents, and non-residents.
Note that within the CCPA, the “consumer” is a natural person who is also a California resident. The key difference here is that the data subject within the GDPR means explicitly any individual who may be identifiable through the collected data. The data is then referred to as a data subject, while the CCPA would refer to them as consumers, and only when they are California residents.
But this article will not go over the difference between the two, as both regulations will require your business to carry out personal data mapping.
The point behind creating a data map is to help your organization handle the personal data lifecycle within the organizational information system. By categorizing and taking inventory, you should be able to see where the personal data travels from its collection to its inevitable destruction.
The personal data inventory will also build part of the overall cyber risk management framework of the organization. It is so vital in the framework that conducting privacy risk management is almost impossible without it.
Why Do You Need a Personal Data Map?
Other than the obvious regulatory requirements, there are other reasons why you’ll want a personal data inventory.
Primarily, having a personal data inventory makes life easier for you. It can help in the organization’s cyber risk management strategy by streamlining the data collection process and making it transparent. Privacy risk management becomes much more comfortable, too (as we mentioned above, it’s almost impossible to do without).
It also helps in proactive cyber defense. Knowing is half the battle, and if you don’t understand the information lifecycle of your organization, a cyber attacker will take advantage. You may have lost the war before it started.
War talk aside, having a personal data inventory shows your customers that you care about protecting their privacy. Showing good faith with your customers is fundamental to the success of your business.
What Is Included?
This question might seem a bit redundant as you might be thinking, well, personal data, right? It is a personal data inventory, after all.
Unfortunately, it is not so clear-cut; some key elements require further exploration. To be more specific, there are four key features, and those are:
- Data Item: what is the category of the data string stored—for example, name, health record, criminal records, addresses, etc.
- What format is it stored in: is it in hardcopy form, is it digital and stored on a hard drive or USB? Is it on a virtual server?
- Location of the data: Is it in a physical space like an office building or a data center? Is it stored on a cloud system, and is it publicly or privately hosted? Is it being processed by third-parties? Where are they located?
- Method of transfer: how is the data being sent to be processed through the post system? Over email, social media, internal systems, etc.
Knowing these elements will get you started on building a personal data inventory. The more advanced the information system, the more intricate the parts become, but they expand out of these primary four categories.
For example, under the format section, it might also include descriptors like:
- In what condition is the format? (i.e., Damaged Hard Drive or USB 3.0)
- Does the format have any known vulnerabilities (i.e., susceptible to rootkit attacks, no multi-factor authentication)?
It is in these scenarios that the risk-based approach to privacy comes into play. However, you do not have to concern yourself with the more advanced element yet.
First, you should have a basic map, and as your organization grows, you can start to implement the risk management aspects of the data inventory.
Here are a few more articles to help you learn more about CCPA:
Knowing the elements is one thing, but extracting the correct information is another process entirely. This section will discuss some techniques that your organization can employ to make the information gathering stage easier.
- Questionnaires: if you already have an established organization with an extensive information system, using an organizational-wide questionnaire can help get a broader picture of data and information flow. You can do it on a department-by-department basis and later analyze the questionnaire’s metadata to build a map from that data. This technique will also work for smaller firms too.
- Free Flow Diagrams: this technique may be more appropriate for start-ups and small businesses. Create an open flow model where your teams will roughly map out what they already know, and any potential gaps in their map will naturally arise over time.
- Software: there are software solutions available that will assist in your data mapping process. They can be a bit hard on the wallet, but they are a great aid if your organization has the resources. Generally, these data mapping solutions, designed for larger firms, have large and active information systems. The software solution will often integrate with their existing security infrastructure. It is not necessary to spend the money on expensive solutions to comply with the regulations. There are always experts out there that can help!
- Observations: one often underlooked technique is simply to observe how your information system operates. You can get profound insights just by seeing the organization in action. We can all get caught up in the day-to-day runnings and forget to take a step back to see our creations. It is in these moments where we get a real insight into the issues.
- Documentation: the most straightforward technique that works best when you start with it is documenting the processes. Producing useful documents is much easier if you start the business with security in mind, and establishing the lifecycle can prove very useful down the line. After all, you can’t hack a piece of paper (but you can steal it, so beware of physical security).
These are a few techniques that can help you in the data mapping processes. It’s best to mix a few and find a strategy that works for your business culture.
Personal Data Mapping Template
Now that you have done all the pre-planning for your personal data map, you can start constructing one. But how does it look?
A personal data map should include four main sections, these are:
- Source and Collection
- Processing of Data
- Destination, Use Case, or Access
- Destruction of Data
It may be tempting never to destroy any of the data you hold. Still, please understand that not having a good reason to keep any personal information is illegal under the CCPA and the GDPR. No, “it may be useful later” is not a legal reason for holding that data.
Source and Collection
The source and the collection of the data map is the start of the plan. It could be the portal through which the personal data is fed. For example, if you collect emails for an email subscription list, the source and collection of that data might be from a website blog (like this one, and you can subscribe to receive monthly cyber news updates!).
So in this example, the source would be the website portal, and the collection would be names and email addresses (and other details you request during sign up).
Processing of Data
The next section of the map is the processing section. This part will describe what is done with the data after collection. Once collected, the email addresses (the data) are then processed by sending emails such as newsletters, promotional offers, or other such information.
This is most often achieved by using email subscription software that processes the data into a usable form. It is vital to mention whether this email subscription solution is an in-house system or a third-party provider because that changes the risk factor.
Destination, Use Case, or Access
After the data is processed, it needs to be stored somewhere for later use. In this storage area, different networks or information system users may have access to the data. And with that access, they may use the data for new products or services, giving it a new use case.
Please note that although creating a new use case for collected data is possible under the GDPR and the CCPA, you must do it with the express consent of the data subject or consumer; otherwise, it will breach the natural person’s rights and freedoms. In the GDPR, you will also have to provide the legal reason for the data’s storage and processing.
Within this part of the map, you will outline all the storage devices and servers and their locations. The processing section will follow this part (you can see a visual example below).
As mentioned previously, it is considered a breach of regulation to keep personal data for longer than necessary or after the lifecycle is complete. So within the map, you will need to state at what point the company will destroy the data and by what means.
You will have to refer to the format the PII is stored in to understand how it will be destroyed. For example, it is quite commonplace for offices to have a paper shredder. These devices will destroy, as the name suggests, paper documentation. So any personal data stored in paper form will need to be eliminated via the paper shredder.
What Does a Personal Data Map Look like
Putting all this information should result in a comprehensive personal data map, which could look something like this:
Keep in mind that this is an elementary example of a personal data map. Depending on the organization, this could be much larger, but as the example shows, it is a neat way to organize the PII information lifecycle.
Benefits To Personal Data Mapping
Taking the time to develop a personal data map has many benefits for your organization beyond compliance. Here are some of the benefits that come from personal data inventories:
- Improving the decision-making process: Having a well-developed data map means that making decisions that have to do with privacy risk and security strategy is easy.
For example, having this map will let you know where the security gaps are in the information life cycle.
- Lean data storage: Save space and money, and cut out inefficiencies. By having a data flow map, you can see precisely where storage inefficiencies lie, making it easier to migrate your information system to more practical applications.
- Find the vulnerabilities: Vulnerabilities in the data flow map are simpler to patch if you know what the information systems look like in action. Threats that exploit those vulnerabilities can also help simulate an attack’s cascading effect on the information system.
How RSI Security Can Help
Your compliance strategy can make a massive difference in the time and resources needed to achieve full compliance. Personal data mapping must be part of your overall process.
But you don’t have to do it alone. RSI Security has compliance experts, and we can help you with all manner of regulations, whether it is the GDPR or CCPA.
Leverage our knowledge on data flow mapping and other compliance requirements and get in contact with us today. Schedule a consultation here!
Download Our CCPA Compliance Checklist
Assess where your organization currently stands with being CCPA compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.