What are the Challenges in Building an Effective Data Map?
With the growing regulations around privacy and security, the significance of understanding data and its movement has increased tremendously. It is important to know where your data resides, where it flows, what type of data is being transferred, and where there are intersections with different data networks.
A comprehensive data map can provide all this information to make it easier for you to keep track of your data. But several companies lack the resources and expertise to build an extensive data map—many abandon such projects midway or end up with a data map that does not cover all aspects of information within the enterprise and has a very narrow scope.
As per the IAPP-FTI Privacy Governance Report 2020, when asked about the most difficult requirement of the California Consumer Privacy Act (CCPA) for organizations to comply with, 32% of the respondents found the law’s data-mapping requirements the hardest to meet. Next came the right to delete, with 23% giving it a very difficult rating.
Data mapping and deletion are found to be the most challenging tasks due to the approach needed to sustain the program and maintain the data map. Though it is comparatively easy to create a data inventory, it is challenging to ensure that it is accurate, comprehensive, and up to date.
While data or information governance will remain distinct for every organization, there are some common challenges in data mapping initiatives that undermine the success of the programs.
1. Defining the Data Map
Your data map will only be as extensive as your definition of it. How you define your data map should be based on the goals and needs of the organization that can be determined after consultation with the concerned teams and stakeholders. But often times, organizations fail to get an accurate understanding of their requirements. Understanding what you need from the data map will ensure that it meets your expectations. Ultimately you want your DataMap to be scalable and easy to maintain.
2. Cross Functional
A comprehensive data map should cover all the aspects related to privacy, compliance and legal, IT, security, and records management. The challenge lies in ensuring that the DataMap actively gets input from representatives from all these departments and addresses the problems faced by them. All the business units need to collaborate and work towards a shared vision for a successful data mapping project.
3. Accurate Picture of Actual Risks
In order to evaluate the risks, you first need to understand where your data is. An accurate picture can be perceived after careful interpretation of the different data types and their flow. After getting a clear representation of the entire data footprint, you can gain a complete understanding and not just a partial depiction of the actual risks. This ensures that the more important and confidential data is safeguarded with the best tools and mechanisms.
4. Ensuring Alignment
Alignment cannot be achieved with just monthly or bi-weekly steering committee meetings. Though the teams view the collaboration as important, it is found that the actual collaboration is limited due to the absence of a clear understanding of shared goals and progress.
Cross-functional collaboration is needed across the teams within the organization. These teams must decide on the common objectives that align with the company-wide goals.
An effective data map should enable all critical stakeholders to work together for the successful implementation of the governance program. Proper collaboration ensures alignment and accountability within the team.
5. Lack of Expertise
Resource fatigue or resource constraints and lack of in-house experience are some of the major bottlenecks in moving the initiative forward. Most organizations lack the in-house expertise needed for building an exhaustive data map and end up employing tools that promise to deliver the desired results with just a click.
But when it comes to data mapping, one can’t stick to the “one size fits all” approach as every organization is unique in terms of requirements and objectives. In this context, technology that is built ground up can support and sustain the demands in the long run.
6. Capturing Third-Party Data
Organizations that rely on third-party vendors, contractors, consultants, security providers, etc., need to keep track of the data that is being shared with these third-party service providers. Though it is necessary to identify the risks associated with third-party data, organizations often fail to encapsulate this element within their data mapping programs.
Recent incidents like the Kaseya ransomware and the SolarWinds hack highlight the dangers of supply chain attacks. A data map should not be limited just to the internal movement of data but be extended to illustrate what data flows out of the organization. Perform vendor risk assessments and develop a third-party risk program that can provide the required vendor insights.
Meru has adopted a similar approach to data maps—we enable information about data, systems and data flows to be maintained and updated with minimal effort from users by utilizing powerful automation capabilities.
Different stakeholders and teams within an organization can easily see and understand how their data is used with our data maps. They can also help you track and manage risks around data and data flows. And, once a functioning data map is available within the organization, we have seen its use expanding beyond compliance and the original objectives like how mapping apps continuously grow in capabilities.