The Datamap contains detailed information about the data within the organisation. A datamap is a record of all the systems/databases/vendors that stores data related the organization and also detailed inventory of how it flows in and out of the organization. A datamap is typically organized to provide an overview and more detailed information into the following aspects Security, Privacy, Backup, Retention etc. The information captured in the datamap should typically help answer the following questions
What types of data are we creating?
· Does it contain special categories of data such as customer PII, credit card data, or sensitive organizational secrets?
· Who are we sharing this information with inside and outside the organization?
· Where are we storing the data and how is that data protected?
· Who within the organization and at our partners has access to this data and for what purposes?
· How long do we need to keep this data for business reasons?
· How can we find data we need to respond to legal or regulatory issues?
· How do we recycle or delete data when we no longer need it?
Application or System Centric-Map:
An application or System centric map provides a System centric view of where the data is stored within the organization. You compile a list of the applications or systems in the environment, along with the IT and business owners of those applications. You then send out the Surveys to those owners, or connect via API to understand the data for each application.
Processing Activity/Business Process Centric-Map:
A processing activity or business process centric datamap will show how the data is stored or moves for each business process - example recruiting, payroll etc. You can also build a Processing Activity or Business Process centric Datamap within Meru. There can be multiple processing activities for an application or System. For example: “HR Recruiting process” might involve data from multiple Systems/Applications. Similarly an Application or System can support multiple business processes.
The Meru datamap can provide both an Application centric or a processing activity centric view of the data within the organization.
Building the Datamap
There are a few methods you can use to populate your data map:
Scanning or API Integrations (Feeds from other systems)
Data Discovery (Automated Scanning) or API Integration: This method may be able to tell you the data location, volume, encryption, and rough classification. Many companies have existing inventories of assets or vendors. You can integrate your data mapping tool with existing IT systems that store information on assets such as applications and databases.
Scanning alone does not capture enough information as it will not provide information regarding the purpose of processing and other contextual details. So it will be necessary to complement scanning with interviews or workshops to obtain a comprehensive view of the data for the datamap.