Data Mapping for GDPR, CCPA and Privacy Regulations

The California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR) mandate for detailed data inventories are now reflected in many other privacy regulations worldwide and continue to pose a significant challenge for organizations of all sizes. Whether you’re looking for specific assistance with Article 30 compliance or need a robust solution to meet multi-jurisdictional requirements, Kroll experts deliver accurate and efficient data inventory solutions. 

Leveraging frontline expertise from thousands of cyber security investigations and hundreds of detailed cyber risk assessments every year, our security and privacy experts know the questions to ask and the stones to uncover to help your organization understand, describe and identify how protected data flows within your systems, to and from vendors and internationally. Our extensive data mapping solution provides deeper understanding of data ingestion, storage and security and helps better document the business reasons for its retention and use.

Key Data Mapping Answers We Collect

Most data mapping regulations specify the documentation and management around fundamental questions covering the entire data lifecycle , such as:

• What data is collected where it is stored, for how long and who has access to it?
• Is transferred outside of the organization or outside of the country (and where)?
• What security controls exists around data collection, sharing and storage?
• How is the data processed and what is the legal basis or business reason for processing that data?
• Is the data considered sensitive?
• How is the data transfer protected?

Our experts initially focus on understanding as much about your environment to prioritize the most sensitive systems before examining additional areas. We follow a five-step process that is customized to fit the regulatory requirements of your organization.

Identifying Protected Information 

Kroll will assist your organization in determining how to best categorize the protected information (as defined by your legal team) held by your organization. With the plethora of information that an organization may hold, it is important to understand the types of protected information you have, whether it’s considered sensitive, the business reasons for processing it and where it is stored and for how long. Kroll will work with your legal team to determine the appropriate categories of data that may include, but are not limited to: 

• The nature and types of the protected information
• Location (e.g. databases, applications)
• Categories of sources
• Internal access rights
• Forms of collection
• Data flows, including transfers to affiliates, service providers and internationally 
• Questionnaires and Document Reviews

Effective data maps require input from almost all departments but especially IT, information security, legal, compliance, marketing and human resources. Kroll will deploy questionnaires to key stakeholders to elicit information on critical information assets, systems and security processes.

Additionally, Kroll will request documentation regarding policies and procedures governing the security and use of the information under the various data privacy regulations. Our practitioners will examine receipts, storage, handling and management of the protected data.

Deploy Data Mapping Software

Based on the questionnaire responses and the document review, Kroll’s experts work with your organization’s IT personnel to configure and deploy the data mapping software that will identify and document structured protected information.

Onsite Visits 

Kroll experts perform interviews with stakeholders to verify conclusions drawn from the questionnaire and the data mapping software findings. They will fill in gaps and perform a visual walk through of the protected information’s data lifecycle on your organization’s systems. 

Deliver Completed Data Mapping and Template 

Kroll experts will leverage questionnaires, existing documentation, data mapping software results and onsite information to build a full data map and inventory and establish a template upon which your privacy professionals can make ongoing adjustments. 

Beyond Compliance, Data Mapping is a Good Business Practice

While the initial mandate for a data mapping exercise may come from GDPR or other privacy regulations, such efforts often uncover practices organizations had forgotten about or didn’t even know existed. Our experts have helped a client identify terabytes of sensitive data, posing a tremendous legal, financial and reputational risk in the event of a data breach, simply because a retention policy had not been fully configured.

Data mapping provides great clarity that will ensure your risk management team can make informed decisions. Kroll experts will help manage your data inventory to optimize data security, better understand your data flows and achieve regulatory compliance. Take the extra steps today in mapping your data to protect your organization tomorrow. Talk to a Kroll expert.