Cloud Hosting

Data subject access requests (DSARs), records of processing activities (RoPAs), vendor risk management, a dozen other data privacy compliance requirementsall of them depend upon or are significantly facilitated by a map of the personal information your organization processes.

But theres no hard and fast requirement for a data map in the GDPR, CPRA, or any other data privacy regulation. As a result, many privacy professionals dont think to investigate data mapping until they start diving into the day-to-day work of their privacy program. After weeks of interviews, dozens of emails, and a labyrinth of spreadsheets, they realize that they need an automated tool.

But as is always the case, not every tool is made equal. Some are inefficient; some substitute the work of manual data mapping with more work of a different kind; some just create yet more work for a privacy professional.

To help privacy professionals spot tools that are more trouble than their worth in advance, weve identified five red flags to watch out for in an automated data mapping tool.

Data mapping isnt unique to data privacy. Knowing where organizational data lives and what types of data are available is important for a wide variety of projects. That might include:

There's a wide variety of tasks that a data scientist can accomplish, but usually, the business wants them to conduct analyses that translate directly to dollars and cents. When privacy professionals need to rely on data scientists to map the organizations data for compliance purposes, theyll often find that compliance tasks are de-prioritized in favor of revenue generation.

Making a persuasive business case for your privacy program can mitigate this to a degree, but the reality is that data scientists are always going to be an in-demand resource at any organization. If your automated data mapping tool is owned and operated by the data science function, your privacy program will always be steps behind, and your organizational compliance posture will never be where you want it to be.

Software can do a lot of things, but magic isnt one of them. Invariably, an automated data mapping tool will run into edge cases, exceptions, and instances where manual effort is required. Consider how youll map data from:

In 1955, psychologists Joseph Luft and Harrington Ingham coined the term unknown unknowns; that is to say, issues that you aren't aware of and which you lack insight into. Unknown unknowns always appear, and the hallmark of a good tool is being prepared to handle them.

For the unknown unknown stores of personal data at your organization, its essential that your tool provides a way to facilitate discovery and streamline manual mapping efforts.

When automated data mapping tools make no mention of how they facilitate necessary manual work, they also tend to have a very narrow definition of automation and a very narrow scope. For example, an allegedly automated data mapping solution might automate just the discovery of personal data stores and not the metadata labeling and tagging that makes downstream compliance activities possible.

Whether you use an in-house automated data mapping tool or a third-party tool, a common issue that privacy professionals run into is being inundated by data stores that need to be investigated. Because data privacy compliance is an ongoing process, new data stores will be added to your data map all the time. Not all of these data stores pose the same level of risk. Some might not be involved in downstream data transfers, for example; they might not store sensitive data; or they might not store large volumes of data.

Some automated data mapping tools present these data stores as equally important. That means youll have to spend time manually investigating low-risk data stores while stores that actually pose a high risk remain unmitigated.

But in reality, it isnt too much to ask for an automated data mapping tool to estimate the level of risk posed by one data store or another. Its possible to assess the number of exports to vendors, the number of connected systems, the number and types of data fields scored, the number of identities handled, and so on to estimate high-risk versus low-risk data stores.

Since your organizations data landscape is perpetually changing, youll need to use your automated data mapping tool to scan for data stores on a regular basis. When you do, you wont want to have to wade through a backlog of data stores youve already investigated and evaluated as being irrelevant.

Not everything thats capable of holding personal information will actually do so. Or sometimes youll find data stores that require no further action. The right tool will provide quality-of-life capabilities that allow you to flag certain data stores as irrelevant, so you dont waste unnecessary team re-reviewing something that doesnt affect compliance.

Non-privacy-focused data mapping tools are often guilty of this, but even some tools meant strictly for privacy professionals suffer the same flaw: They dont make it easy to actually do anything with your data map.

There isnt a law that specifically says you need to have a data map for your organization. However, a myriad of regulatory requirements depends upon or are made significantly less tedious with a data map, such as:

Thats why the best data mapping tools for privacy professionals are integrated into an overall compliance platform.

Take Osano for example. Privacy professionals who use Osano as their automated data mapping tool can easily use discovered data for DSARs, to populate their RoPAs, and to quickly filter and search through data stores and associated metadata to identify redundancies, unneeded data, and data stores that are potentially responsive to a DPIA.

In fact, Osano passes all of the tests we described in this articleit:

See more here:

Automated Data Mapping Tools: 5 Red Flags to Avoid - JD Supra