It’s 10 o’clock, do you know where your data is?
Using data mapping to comply with privacy and security requirements
If you watched the evening news in the 1960s, ‘70s, or ‘80s, you may recall the public service announcement, “It’s 10 o’clock, do you know where your children are?” It was really an admonishment for parents to keep track of their children at all times.
In this day and age of personal information taking center stage with numerous data privacy and security laws, it is critical to know where your data is (including data you control or process concerning others) at all times. The only way to truly keep track of your data is through a process known as “data mapping.”
You may recall having learned the six elements of fact-gathering, namely, who, what, where, when, why and how. These same concepts apply to data mapping (although not necessarily in that order).
Privacy laws, such as the European General Data Privacy Regulation (GDP) and the California Consumer Privacy Act (CCPA), require informing, and responding to requests by, individuals about what personal data is collected and processed and the purposes for the same, as well as what is done with that personal data.
New Hampshire has a similar comprehensive law, House Bill 1680, currently pending in the Legislature, which would impose similar obligations on businesses that collect the personal information of New Hampshire residents.
All companies have an obligation to safeguard data and act reasonably to avoid data breaches. Records pertaining to this personal information must be kept in order to respond to individual data subject requests where applicable. Furthermore, this data trail is necessary in order to comply with audits that may be undertaken by compliance authorities, and in some cases to comply with your contracts.
So what, then, are the key concepts of data mapping?
• What personal information is collected/processed?
The first component is to understand and record what personal information is collected/processed by your organization. Various data privacy laws require not just a record of categories of information (such as contact information or biometric information), but also a record of each specific type of personal information.
Under the various privacy laws, the list of what constitutes personal information may be very extensive, including not only obvious identifiers such as name, Social Security number or driver’s license number, but also other things such as IP addresses, gender or other types of information that alone or in combination could identify an individual.
• Why do you collect the personal information?
Various privacy laws require organizations to identify the purposes for which they collect each type of personal information. Some types of personal information might be collected for multiple purposes while other types might be collected for a single purpose.
For example, your organization might collect names, addresses, telephone numbers and email addresses in order to set up an account or to provide publications to customers, collect facial patterns or thumbprints for access to software programs or devices, or collect bank account numbers, Social Security numbers and driver’s licenses with regard to payment processing.
• How do you use the personal information?
This category of data mapping is closely related to the purpose for which you collect the personal information and essentially deals with what your organization does with the personal information it collects. Perhaps the organization uses contact information to send ads to customers or potential customers. Perhaps it uses the information for shopping carts. Perhaps it sells personal information. You must have a clear understanding of how the personal information is used.
• When do you collect the personal information?
Various privacy laws require certain disclosures to individual data subjects prior to collection of their personal information. For example, IP addresses may be collected when visitors land on your organization’s website. Email addresses might be collected at the time a potential customer emails customer support looking for information. It is critical to keep track of and be able to identify at what point the personal information is collected, particularly for purposes of providing appropriate notifications.
• How do you collect the personal information?
• How long you keep the personal information?
Again, various privacy laws require you to identify how long each type of personal information is retained by your organization. Organizations should have data retention policies which set forth retention periods for each type of data retained. Such policies are not limited to personal information, but cover a broader range of topics such as email retention, contract retention, tax return retention, and any other type of information that applies to the organization and its business. Retention policies also require purging unnecessary data over time, which decreases the amount of information that needs to be protected from unauthorized use.
• Who does the organization provide the personal information to and why?
The various privacy laws require disclosure of who your organization shares personal information with (or at least categories of the individuals or entities). Your organization might provide personal information to service providers such as credit card processors or hosts of software applications. Or it might sell personal information to third parties. Or it might provide personal information to data analytics providers. The organization should track all those who touch the data along with the reasons the data is shared with those persons.
• Contractual compliance.
Aside from the various privacy laws, it is important to know where your data is at all times, not just as a best practice, but also to comply with contractual relationships in certain circumstances.
For example, your organization may have contracts which require all data to be maintained only in the continental United States. If that is the case and you are using a global supplier like Amazon Web Services to house data, it is possible that you are in violation of such an agreement if there are no restrictions on where AWS may transmit or store your data. Data mapping will enable your organization to keep track of these situations to help ensure contractual compliance.
Perhaps the easiest way to approach data mapping is to create a spreadsheet or chart with the various categories of personal data, filling in the appropriate information for each type of such data. Clearly, this is potentially a monumental task. However, it is a task that in the long run will not only benefit your business, but will enable your organization to comply with various laws, some of which carry substantial penalties for noncompliance.
Doug Verge, a shareholder at the law firm of Sheehan Phinney, is a member of its Intellectual Property Law Practice and chair of its Franchise and Distribution Law Practice Group.