Knowing the type of data that you collect, where it is being held, with whom it is being shared, and how it is being transferred is a central component of most data privacy and data security programs. The process of answering these questions is often referred to as a “data map” or a “data inventory.”
Although the questions that a data map tries to solve are relatively straightforward, the process of conducting a data map can be daunting depending upon the size and structure of an organization. In addition, it is important to remember that data constantly changes within an organization. As a result, organizations must consider how often to invest the time to conduct a data map and, once invested, how long the information will be useful.
What you should think about when deciding whether to conduct a data map or a data inventory:
What information should you consider including in your data map:
The following provides snapshot information concerning data maps and data inventories.
Maintaining a data map was ranked as the number one priority by privacy officers.1
The percentage of companies that identified maintaining a data map as relevant.2
The percentage of companies that have a data map.3
The percentage of companies that have a data map and use it to track the flow of data between systems.4
 Nymity, Privacy Management Program Benchmarking and Accountability Report, (2015), https://www.nymity.com/data-privacy-resources/data-privacy-research/privacy-management-benchmarking-report.aspx.