Understanding the data mapping exercise in data privacy
Michael Irene is a data and information governance practitioner based in London, United Kingdom. He is also a Fellow of Higher Education Academy, UK, and can be reached via moshoke@yahoo.com; twitter: @moshoke
There is the misconception held by most privacy professional that the essence of running a privacy programme is to have document policies and run administrative tasks when it comes to the end-to-end management of a data privacy programme. Holding that thought process and having that embedded in a business sets the business up for failure on many fronts. Even when the obvious fact is glaring in the face, most privacy professionals still create this peripheral approach and soil the meaning of having an extensive privacy programme.
First, the data mapping exercise, whether done manually or in an automated fashion, aims to help any company locate their data in a granular form. It teases out, amongst other things, the flow of data between business systems and functions. In the grand scheme of things, a robust data map exercise will give the privacy professional an oversight, at the minimum, what categories of data is processed, which department processes such data and who has access to such data.
Another important facet of a robust data map exercise is that it enables the business to understand the lawful basis for processing within the regulation and shines a light on the existing principle that might have been employed within the processing of each business function. In addition to these, it helps to propel the agenda for retention and deletion protocols and methodologies employed by the company. It is not enough to set deletion at a particular data when the company needs to meet other statutory and legal obligatory functions.
In that light, therefore, the data mapping exercise in the first instance will help the business map out the workflows for various business needs. For example, a human resource can tease out the essential areas within the business that needs an overhaul or improvement with regards to the handling of their unsuccessful candidate and how to manage unused CVs within the business. Another area data mapping can help is with the management of vendors in that it can help the business exercise their rights to audit this business if they understand clearly what kind of data is being processed on their behalf.
The data map from a microscopic point of view will feed into various technicalities within the business. For example, it can trickle down into the training that might be needed for staffs within a department that process sensitive personal information or any type of personal information and help the learning and development team come up with bespoke content that can help staffs understand how their day-to-day role aligns with data protection expectation. Another critical example is that it can feed into the policy suite maintained by a company.
The importance of data mapping is critical in any privacy framework and failure to ask the right questions will set any data mapping exercise for failure. The privacy professional within any business, therefore, must focus on this piece of the puzzle first before carrying out any task within the business. To put it succinctly, this is the foundational piece that makes the whole data privacy journey stable.