The critical role of data mapping in CCPA readiness and compliance
Although the California Consumer Privacy Act (CCPA) does not explicitly require that businesses engage in data mapping or relationship mapping, they probably won’t be able to develop effective CCPA compliance strategies without having both. Businesses that have engaged in data mapping in preparation for GDPR compliance will be able to leverage some of that work.
Data maps can be likened to land maps in this way:
- Country (Business)
- States (Departments)
- Cities (Information Systems)
- Local Governments (Responsible Parties)
- Roads and Rivers (Data Flows)
- Natural Resources (Data)
- Uranium (Private Data)
- International Partners
Where to begin? First, gather information and documents to help understand the data flows. This can be accomplished through interviews with or questionnaires filled out by the business units that collect or use personal data. Next, it is necessary to understand the data flows within the business and those with third parties or other partners.
The finished product can take various forms, but should map the following:
- What personal information is collected and from whom
- Why it is collected
- Where it is kept
- With whom it is shared (and why it is shared)
With a data map, a business will be able to navigate the CCPA’s compliance obligations, provide consumers with notice and access to their data, and respond appropriately to consumer requests to delete their personal information or to not sell it.
“Hand Me the Map, Please” was the second installment of a nine-part webinar series on the new California Consumer Privacy Act of 2018 (CCPA). A recording of the webinar and a copy of the presentation materials are available here.