For instance, GDPR (article 30 and 36) requires organizations to document their processing and conduct periodic data protection impact assessments (DPIA). Without a comprehensive data map, organizations can't comply with these requirements.
A comprehensive data map should have the following basic set of attributes:
- Data inventory - What data is collected?
- Storage - Where is the data stored? Is it secure and encrypted?
- Purpose - Why the data collected for?
- Use - Who has access to the data? Who is using the data?
- Flow - Where does the data flow? Who do we share outside the organization?
- Lifespan - When was it created? How long will data be stored? How will it be disposed of?
- Sensitive data - What sensitive /personal data does the data source hold?
- Data lineage - What data sources were combined or transformed to derive a data asset?
- Additional metadata that is relevant to data protection -
- What are the categories of data subject (customer, employee, partner, contractor) contained?
- What is the geographical location of data subjects in the data?
- Does it have a minor's data?