In the United States companies are not required to inventory the type of data that they maintain, or map where that data flows in (and out) of their organization. That said, knowing the type of data that you collect, where it is being held, with whom it is being shared, and how it is being transferred is a central component of most mature data privacy and data security programs. For example, while the law does not require that companies inventory the data that they collect, federal and state law is being interpreted as requiring that companies use, at a minimum, reasonable and appropriate security to protect certain types of “sensitive” information such as Social Security Numbers. It is difficult for many companies to defend their security practices if they lack confidence as to whether they are collecting sensitive information and, if so, where it is being maintained. As a result, while it is not a legal requirement to conduct a data inventory it is, for many, a de facto step to comply with other legal requirements.
Under the EU Privacy Directive, however, member states were required to impose a requirement on data controllers to keep a register of processing operations, which often functionally amounts to a data inventory.1 As in the United States companies were also required to implement “appropriate technical and organizational measures” to protect personal information.2
The EU’s new General Data Protection Regulation (“GDPR”) does not change the status quo. Most companies are still required to conduct data inventories or rather maintain a record of processing activities.3 This record keeping obligation varies slightly for controllers and processors but both are subject to the law. Data processing records shall for example contain the following information for each processing activity.
The following provides a snapshot of information concerning data maps.
Maintaining a data map was ranked as the number one priority by privacy officers.4
The percentage of companies that identified maintaining a data map as relevant.5
The percentage of companies that have a data map.6
The percentage of companies that have a data map and use it to track the flow of data between systems.7
What you should think about when deciding whether to conduct a data map or a data inventory:
What information should you consider including in your data map:
1. EU Directive Art. 21 (2), 19 (1)(a)(1)(b).
2. EU Directive at Art. 17(1).
3. GDPR Art. 28. Some companies that have fewer than 250 employees are exempt from this requirement.
4. Nymity, Privacy Management Program Benchmarking and Accountability Report, (2015), https://www.nymity.com/data-privacy-resources/data-privacy-research/privacy-management-benchmarking-report.aspx.