This article was originally published in the NH Business Review and can be found here.
It’s 10 O’clock, Do You Know Where Your Data Is?
Using data mapping to comply with privacy and security requirements
By: Doug Verge
March 13, 2020
If you watched the evening news in the 1960s, 70s, or 80s, you may recall the public service announcement, “It’s 10 PM, do you know where your children are?” It was really an admonishment for parents to keep track of their children at all times. In this day and age of personal information taking center stage with numerous data privacy and security laws, it is critical to know where your data is (including data you control or process concerning others) at all times. The only way to truly keep track of your data is through a process known as “data mapping”. You may recall having learned the six elements of fact gathering, namely, who, what, where, when, why and how. These same concepts apply to data mapping (although not necessarily in that order).
Privacy laws such as the European General Data Privacy Regulation (GDPR) and the California Consumer Privacy Act (CCPA) require informing, and responding to requests by, individuals about what personal data is collected and processed and the purposes for the same, as well as what is done with that personal data. New Hampshire has a similar comprehensive law, HB 1680, currently pending in the legislature, which would impose similar obligations on businesses who collect the personal information of New Hampshire residents. Indeed, all companies have an obligation to safeguard data and act reasonably to avoid data breaches. Records pertaining to this personal information must be kept in order to respond to individual data subject requests where applicable. Furthermore, this data trail is necessary in order to comply with audits that may be undertaken by compliance authorities, and in some case to comply with your contracts. So what, then, are the key concepts of data mapping?
What personal information is collected/processed?
The first component of data mapping is to understand and record what personal information is collected/processed by your organization. Various data privacy laws require not just a record of categories of information (such as contact information or biometric information), but also a record of each specific type of personal information. Under the various privacy laws, the list of what constitutes personal information may be very extensive, including not only obvious identifiers such as name, Social Security number or driver’s license number, but also other things such as IP addresses, gender, or other types of information that alone or in combination could identify an individual.
Why do you collect the personal information?
Various privacy laws require organizations to identify the purposes for which they collect each type of personal information. Some types of personal information might be collected for multiple purposes while other types might be collected for a single purpose. For example, your organization might collect names, addresses, telephone numbers, and email addresses in order to set up an account or to provide publications to customers, collect facial patterns or thumbprints for access to software programs or devices, or collect bank account numbers, Social Security numbers and driver’s licenses with regard to payment processing.
How do you use the personal information?
This category of data mapping is closely related to the purpose for which you collect the personal information and essentially deals with what your organization does with the personal information it collects. Perhaps the organization uses contact information to send adds to customers or potential customers. Perhaps it uses the information for shopping carts. Perhaps it sells personal information. You must have a clear understanding of how the personal information is used.
When do you collect the personal information?
Various privacy laws require certain disclosures to individual data subjects prior to collection of their personal information. For example, IP addresses may be collected when visitors land on your organization’s website. Email addresses might be collected at the time a potential customer emails customer support looking for information. It is critical to keep track of and be able to identify at what point the personal information is collected, particularly for purposes of providing appropriate notifications.
How do you collect the personal information?
In addition to keeping track of what data your organization collects, you must keep track of the means by which personal information is obtained. One way is through use of cookies to collect IP addresses. Another method might be through online forms to set up an account. Information might be collected via email in order to enter into a contract. Collection of personal information through a shopping cart might be obtained for ordering of and payment for products and services. Your organization needs to be able to document this aspect of data collection just like the other steps.
What are the sources you collect the personal information from?
It is important to have a record of where the personal information came from. In many instances the personal information might come directly from an individual. On the other hand, information might come from other sources such as credit agencies or even as a result of acquisition from a data seller.
How long do you keep the personal information?
Again, various privacy laws require you to identify how long each type of personal information is retained by your organization. Certain laws, such as HIPAA, require specific retention periods. Organizations should have data retention policies which set forth retention periods for each type of data retained. Such policies are not limited to personal information, but cover a broader range of topics such as email retention, contract retention, tax return retention, and any other type of information that applies to the organization and its business. Retention policies also require purging of unnecessary data over time, which decreases the amount of information that needs to be protected from unauthorized use.
Who do you provide the personal information to and why?
The various privacy laws require disclosure of who your organization shares personal information with (or at least categories of the individuals or entities). Your organization might provide personal information to service providers such as credit card processors or hosts of software applications. Or it might sell personal information to third parties. Or it might provide personal information to data analytics providers. The organization should track all those who touch the data along with the reasons the data is shared with those persons.
Contractual compliance.
Aside from the various privacy laws, it is important to know where your data is at all times, not just as a best practice, but also to comply with contractual relationships in certain circumstances. For example, your organization may have contracts which require all data to be maintained only in the continental United States. If that is the case and you are using a global supplier such as Amazon Web Services to house data, it is possible that you are in violation of such an agreement if there are no restrictions on where AWS may transmit or store your data. Data mapping will enable your organization keep track of these situations to help ensure contractual compliance.
In summary, perhaps the easiest way to approach data mapping is to create a spreadsheet or chart with the various categories of personal data, filling in the appropriate information for each type of such data. Clearly this is potentially a monumental task. However, it is a task that in the long run will not only benefit your business, but will enable your organization to comply with various laws, some of which carry substantial penalties for noncompliance.