Demystifying Data Mapping: A Clear Path to Better Data Understanding

In today’s data-driven world, businesses collect, process, and share vast information internally and externally. With growing privacy concerns and the need to comply with strict regulations like GDPR, CCPA/CPRA, and HIPAA, organizations are under increasing pressure to understand, categorize, and protect the data they manage. They must also provide methods for individuals (data subjects) to access, correct, or request the deletion of their data.  One of the foundational steps in fulfilling these obligations is through effective data mapping. 

Data mapping involves identifying, classifying, and understanding how data flows within your organization—from collection to storage, processing, and sharing. This practice helps meet compliance requirements and ensures that businesses can protect sensitive data, optimize their data management strategies, and respond quickly to security incidents. 

In this blog post, we will explore why data mapping is crucial, the steps involved in creating a data map, and how it can be the key to safeguarding your organization’s data while staying compliant with evolving regulations. 

The first step is to clearly define the goals and objectives of the data maps being created. Understanding whether they are intended for compliance with privacy and security standards and regulations, reducing data storage redundancy, responding to Data Subject Access Requests (DSAR, adhering to internal retention and deletion policies, or combination of these is necessary.  Depending on the objective’s importance and goal, having multiple objectives will involve increased complexity and the number of stakeholders involved. Although, going through this process with stakeholders can reduce duplication, time, and effort.  

After the goal of the data mapping project has been defined, the next step is to determine the types of data collected and to create a Data Inventory. This is particularly important for breach reporting purposes and for understanding the security tools and privacy mechanisms that need to be implemented. It is essential to consider that data may fall into one or more categories below.  The breakdown we use for data classification is as follows: 

• Sensitive data (see the 50 state breach laws)- data that would require reporting under one of the 50 state breach laws if a breach occurred and requires reasonable security controls to be in place. (name, SSN, financial identifiers, etc.) 
• Personal Health Data (PHI)- data collected by healthcare providers, health plans, and healthcare clearinghouses regarding individuals and their healthcare.  Designated Record Sets are needed to respond to individual’s requests for correction and access to their health information. 
• Sensitive Data– defined by state omnibus Privacy Laws, GDPR, or other international regulations and requires additional organizational obligations such as providing individuals rights including opt-in/opt-out, consent, limiting secondary uses, and profiling. 
• Personal Information (PI) types and categories (as defined by CCPA/CPRA) – must be disclosed in privacy notices. 
• Restricted Data– Company data only permitted employees can access due to the sensitive or highly confidential nature. 
• Company Confidential Data– Data that cannot be disclosed outside the company due to patent, trade secret, insider trading, or other pertinent restrictions. 

Once the types of “data assets” collected and processed by the organization are defined, Data Mapping can be contemplated.   This can be considered a roadmap of how data flows through the organization. The journey of the destinations and uses of the data. To do this, the following items will need to be collected and understood: 

• Data Sources- Where and from whom does the data originate (employee, consumer, third party, employer) 
• Data Collection Methods- How is the data collected from the sources (data files, manual input, API connections, emails, and consumer input). 
• Secure Measures: All technical (tools) and administrative (controls) in place to protect the data. 
• Data Uses- What are all the ways in which the data will be used (provide services to consumers, data analytics, profiling, marketing, other) 
• Country of origin– Where did the data originate? This is particularly important for individuals’ personal data (PII, PHI, Sensitive data, etc.) 
• Transfers of data to other countries– Various privacy regulations require that transfers of personal data be documented and that there is a demonstration of administrative and technical controls to protect the data. 
• Transformation– will data be altered, transformed, or combined with other data? 
• Third Parties– Transfers to service providers who process or store the data. 
• Internal Transfers- Resources or locations housing the data.  All systems or platforms that will house, store, or process the data. 
• Data Ownership- Who within the company is responsible and accountable for ensuring data accuracy, minimization, and updating? 
• Is the company a Data Controller, Data Processor, Business or Service Provider? 

It is most efficient to map the data by process or Data Processing Life Cycle, which follows the data through collection, usage/access, sharing/transfer, storage (platforms, systems, cloud locations), retention/disposal, and tracking the uses of the data. This can most easily be accomplished once the Data Inventory (types of data collected have been identified and all items above have been noted.    Consideration should be given to mapping data at   the highest-level processes and could also focus on mapping based on   products in addition to internal processes for employee data.   

Creating a template in a spreadsheet that notes the items above (including the data types) for each process will be the most efficient. Other methods of collecting this information would include: 

• Interviews (to populate a template) 

• Use of data mapping software 

• Data governance platforms which contain a suite of tools for data inventory, mapping, compliance, and security 

• Cloud storage solutions 

• Use of Privacy Impact Assessment, which would contain questions to obtain the appropriate information to create data maps 

The final product will be a visual representation of the flow or journey of the data created in a tool such of Visio or the OneTrust platform.  This is an assignment that will require forethought, strategy, time, and diligence. However, it will enable you to drive governance into business operations and meet privacy legal obligations such as: 

• Assessing what law or regulation applies to which data flow 

• Providing current and accurate privacy notices 

• Responding to DSAR (Data Subject Access Requests) 

• Ensuring HIPAA/HITRUST compliance 

• Complying with data and retention/disposal and minimization requirements 

• Complying with various obligations per the regulations (opt-in/opt-out, PIA’s, use of personal information, reasonable security, proper oversight, and management of service providers/third parties). 

• Determining whether you are a Data Controller, Data Processor, or both, as well as the related responsibilities. 

How Tevora can Help:  

Tevora’s data privacy and security experts can answer any questions you have. We would also welcome the opportunity to help your organization plan for and implement the changes needed to comply with this comprehensive data security law. Give us a call at (833) 292-1609 or email us at sales@tevora.com.