It’s Time to Update Your Organization’s Data Map
Written by Doug Austin, Editor of eDiscovery Today
Déjà vu all over again! A few weeks ago, I wrote about updating your “SWOT” analysis (Strengths, Weaknesses, Opportunities, and Threats) matrix to understand how your organization is addressing opportunities and threats associated with a specific business objective and how those opportunities and threats have changed significantly with the onset of the COVID-19 pandemic. And, we have a webinar coming up about it too! But, that’s not the only organizational document you need to consider updating. It’s time to update your organization Data Map too! If you even have one, that is.
What is a Data Map and Why is it Important?
As the name implies, a Data Map is simply a guide to the location of data throughout the organization and important information about that data, such as the business units, processes and technology responsible for maintaining the data, as well as retention/deletion periods for that data. It goes hand in hand with your organization’s retention schedule and other policies for handling sources of information and devices that contain them, such as your organization’s Bring Your Own Device (BYOD) policy.
BTW, the term “map” is a misnomer, at least in today’s world. While an organization’s data locations could have once mostly reflected an IT network map of data stores, there are too many remote data stores and sources being used – mobile device data and cloud-based providers, for example – to really “map” the data these days. Your organization’s data “map” could be as simple as an Excel spreadsheet of data sources to a complex database of sources, custodians and locations. It could also be supplemented by knowledge management platforms, like SharePoint.
If your organization is involved in a lot of litigation, having an up-to-date organization Data Map has always been vital to being able to get a jump on identifying, preserving and collecting potentially responsive ESI. Data maps enable you to: 1) avoid missing potentially important ESI in your preservation and collection efforts, and 2) more accurately estimate timelines and budget for those efforts.
However, because of Europe’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and data privacy laws from many other states and countries, Data Maps have become much more important for any organization, regardless whether they have a lot of litigation or not. Rights for individuals that include the right to be informed, the right to be forgotten and the right to restrict processing have made it important for every organization to identify any Personally Identifiable Information (PII) and subsets of PII such as Protected Health Information (PHI) wherever it may be maintained. If you’re an organization that has a customer base of any size, there is simply no reason not to have a Data Map these days.
Four Best Practices for Better Data Mapping
Whether you already have an organizational Data Map or are looking to create one for the first time, here are some best practices for better Data Mapping:
- Get Commitment from Departments Early: This includes any department with potentially important ESI to litigation, investigation and compliance activities, including legal, IT, records management, InfoSec (if separate from overall IT management), finance and relevant business units. Your Data Mapping effort can only succeed if the right departments are represented and they are committed to the process.
- Document and Train: Your Data Map and instructions for maintaining it need to be clear and they need to integrate with other policies and procedures, such as retention schedules and BYOD policies. Anybody who possesses data within your organization (i.e., everybody) should be trained on those Data Map instructions and policies.
- Communicate Frequently: There’s nothing worse than beginning the custodian interview process and finding out there are entire systems and data stores that haven’t been documented, so each department needs to identify any new initiatives that may affect existing data stores or create new ones.
- Keep it Evergreen: No, that has nothing to do with Christmas trees, it involves a regular process of keeping the Data Map current so that it can accurate when a case begins, an investigation is launched, an audit is filed, etc.
Drivers to Data Mapping in 2020
So, why could it be time to create or update your organization Data Map? Here are two drivers for consideration:
- Data Privacy Laws Continue to Evolve: While California gets all the attention with CCPA, many other states have either implemented or proposed new or updated data privacy laws in the past couple of years. Some (like Hawaii, Maryland, Massachusetts, Mississippi, New Mexico and Rhode Island) have proposed laws that are virtually identical to the CCPA; while others (like Arizona, Massachusetts, Mississippi, Nevada, New Jersey, New York, Virginia, Washington) have proposed laws with key differences. Not to mention, we are only beginning to see how the laws will be enforced. It will take a concerted effort to stay on top of all the changes and how they will potentially impact your organization Data Map.
- Remote Work During the Pandemic Has Reshuffled the Data Location Deck: Certainly, while some of your data custodians may have already worked at home all or part of the time, many have only been doing it since the pandemic began and they may be having to access certain data sources vital to their business functions in different locations. Even for Office 365 organizations, certain employees may be keeping more data local than they have in the past, or they may be storing more data in different cloud resources, via third party platforms such as Dropbox.
Chances are your organization Data Map needs at least some adjustments to reflect current data locations since the pandemic began, so it’s time to update it! Next week, I’ll discuss some of the types of information you should include in your Data Map to keep track of the what, where, when, who and why associated with your organization’s ESI. Another IPRO cliffhanger!
For more educational topics from Doug Austin related to eDiscovery, cybersecurity and data privacy, follow, eDiscovery Today! And as part of the continued educational partnership between IPRO and eDiscovery Today, he’ll be here in the IPRO Newsroom next week with more educational content!