The 5 W’s of Organization Data Maps
Written by Doug Austin, Editor of eDiscovery Today
Last week, I discussed what a Data Map is, why it’s important, four best practices for better Data Mapping and drivers for updating your Data Map in 2020. This week, I’ll talk about what information needs to be in your Data Map.
What, Where, When, Who, Why
As I noted last week, the Data Map doesn’t have to be complicated. It can be as simple as a spreadsheet (or series of spreadsheets, one for each department or custodian, depending on what level of information is likely to be requested). Even the data elements you need to track can vary, depending on the requirements of your organization. But, regardless of where it’s kept or what data elements, your Data Map needs to answer the “5 ‘W’s” associated with your organization’s data – What, Where, When, Who and Why – as follows:
- What data is being stored?: Examples include data types like email, work product documents, audio/video files, databases, texts, collaboration data, social media content, cloud based platforms, hard copy documents – and potentially much more. It’s important to identify a standard list of as many of the data types you can up front while remaining flexible to adding data types when interviewing specific custodians who may be tracking certain types of data not being tracked elsewhere.
- Where is it being kept?: In other words, what physical location or device location does the data reside. Examples could include everything from accounting file room/file server/software application to workstations checked out to individuals to even Bring Your Own Device (BYOD) devices like iPhones. Again, it’s a good idea to start with specific standard classifications that you can supplement as you gather more information.
- When do we need to keep/destroy it?: Of course, that includes retention/destruction schedules and when the information was created in the first place, so you know what data is ready for destruction. Your Data Map should be able to point you to those ten year old accounting reports that need to be deleted or shredded because you’re only required to retain them for seven years; in fact, if you’re maintaining and tracking your Data Map regularly, those reports should be long gone before then.
- Who is responsible for the data?: The specific custodian or department responsible for it; for example, Payroll keeping pay stubs, the HR coordinator keeping health insurance forms, etc. Those are the obvious ones, especially within your organization’s facility or servers. What about responsibility for maintaining/archiving collaboration conversations on Slack? Or responsibility for customer data on Salesforce when you may receive Data Subject Access Requests (DSARs) from individual customers for whom you’re tracking data that may be subject to General Data Protection Regulation (GDPR) privacy laws? Those data sources have to be addressed as well, among many others. In fact, for GDPR purposes, you may need to identify both the controller and the processor of the data in question – if you don’t know the difference, click on the GDPR link in this paragraph for more information.
- Why are we keeping/tracking it?: If you can’t come up with a good answer for this, then maybe the data should already be deleted. After all, according to the Compliance, Governance and Oversight Counsel (CGOC), 69 percent of organization data has no business, legal or regulatory value. In other words, as I discussed in Part One of my post about “Eight is Enough! Eight Considerations for Defensible Deletion”, that data is Redundant, Obsolete and/or Trivial (R.O.T.). The best reason to create a Data Map in the first place is to identify as much of that data as possible and get rid of it.
Resource for Data Mapping Templates
As I said, the specific data elements you track in your Data Map may vary considerably, depending on your organization. But, is there a resource for some ideas, even templates to get started with your Data Mapping? There is.
In advance of enforcement of the GDPR, the site Demplates published an article with “10+ Print-Ready Templates” for GDPR Data Mapping here. It’s a great resource that not only provides several downloadable templates for Data Mapping to support GDPR obligations; it also provides some additional best practices and considerations as well. Consider reviewing several of those examples to get ideas on what to track within your own organizational Data Map. The rest is up to you!
For more educational topics from Doug Austin related to eDiscovery, cybersecurity and data privacy, follow, eDiscovery Today! And as part of the continued educational partnership between IPRO and eDiscovery Today, he’ll be here in the IPRO Newsroom next week with more educational content!