CCPA Data Mapping: What Do You Need To Know?

Products
By Use Cases By Roles
DataControls Cloud^TM
View
Learn more

Asset and Data Discovery

Discover Data Assets

Learn more

Data Access Intelligence & Governance

Identify which users have access to sensitive data and prevent unauthorized access

Learn more

Data Privacy Automation

PrivacyCenter.Cloud | Data Mapping | DSR Automation | Assessment Automation | Vendor Assessment | Breach Management | Privacy Notice

Learn more

Sensitive Data Intelligence

Discover & Classify Structured and Unstructured Data | People Data Graph

Learn more

Data Flow Intelligence & Governance

Discover & Classify Structured and Unstructured Streaming Data

Learn more

Data Consent Automation

First Party Consent | Third Party & Cookie Consent

Learn more

Data Security Posture Management

Protect data systems by discovering and automatically remediating misconfigurations

Learn more

Data Breach Impact Analysis & Response

Analyze impact of a data breach and coordinate response per global regulatory obligations

Learn more

Data Catalog

Automatically catalog enterprise datasets

Learn more

Data Lineage

Track changes and transformations of data throughout its lifecycle
Data Controls Orchestrator
View
DataControls Cloud^TM
View
Sensitive Data Intelligence
View

Asset Discovery
Data Discovery & Classification
Sensitive Data Catalog
People Data Graph
Learn more

Privacy

Automate compliance with global privacy regulations

Data Mapping Automation

View

Data Subject Request Automation

View

People Data Graph

View

Assessment Automation

View

Cookie Consent

View

Universal Consent

View

Vendor Risk Assessment

View

Breach Management

View

Privacy Policy Management

View

Privacy Center

View

Learn more

Security

Identify data risk and enable protection & control

Data Security Posture Management

View

Data Access Intelligence & Governance

View

Data Risk Managment

View

Data Breach Analysis

View

Learn more

Governance

Optimize Data Governance with granular insights into your data

Data Catalog

View

Data Lineage

View

Data Quality

View
Data Controls Orchestrator
View
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

Snowflake

View

AWS

View

Microsoft 365

View

Salesforce

View

Workday

View

GCP

View

Azure

View

Oracle

View

Learn more

Regulations

Automate compliance with global privacy regulations.

US California CCPA

View

US California CPRA

View

European Union GDPR

View

Brazil’s LGPD

View

Thailand’s PDPA

View

China PIPL

View

Canada PIPEDA

View

Thailand PDPA

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Privacy

View

Security

View

Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Videos

Solution and customer videos.

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

The consistent increase in frequency and severity of data breach incidents, coupled with the introduction of data privacy regulations such as GDPR and CCPA (recently amended by the CPRA), is encouraging organizations to revisit their privacy operations and how they handle their consumers’ personal information.

The quest for better handling, management, and protection of consumers’ personal information begins with fully understanding a concept called “Data Mapping” and understanding what a data mapping activity under the CCPA would entail.

But first, what is Data Mapping? Rehan Jalil, CEO SECURITI.ai, in his book titled "PrivacyOps: Automation & Orchestration for Privacy Compliance” defines data mapping as, “A system of cataloging the data collected by the organization, helping identify how that data is used, stored and processed, and how that data travels within and beyond the organization.

Thus Data Mapping is the process of creating a map of how data is managed across your organization. Without undertaking this activity, organizations would not be able to keep track of the personal information they collect from their consumers, where the personal information is stored, what type of personal information is stored or provide adequate privacy and security controls to protect that personal information.

Why is Data Mapping So Difficult?

In modern organizations, there are multiple data collection and processing elements combined with in-house and cloud-based application and storage infrastructure, with highly fluid data sharing and processing agreements in place. With more than 80% of enterprise workloads now moving to the cloud, organizations are finding it hard to document and track the flow of information across cloud assets.

In most organizations, data catalogs and maps are hidden away in outdated spreadsheets and Powerpoint or Visio diagrams, making it impossible to bring clarity to this gigantic mesh of interconnected interfaces, systems, and processes. Also, without a collaborative documentation and knowledge sharing environment, it is typical for such business process knowledge to get locked up in the minds of subject matter experts, making it nearly impossible to build and maintain an accurate record of data.

This is where the PrivacyOps data mapping platform can help. By providing a secure privacy portal with a collaborative, easy-to-use environment powered by AI-powered advanced robotic automation and data intelligence, data mapping has become a manageable exercise.

How Does Privacy Ops Data Mapping Work?

Generally, PrivacyOps methodology towards data mapping works on the back of the following 4 steps:

Populating the Data Catalog: In order to map the processing and flow of personal data, organizations must first catalog and create an inventory of their native and shadow data assets.
Mapping Processes and Flows: Once the data catalog has been populated, organizations need to record and document the processes and flows of the data onto a visual data map. Automated assessments, triggers, and workflows for certain processes discovered in this process can also be set up during this stage.
Discovering, tracking, and mitigating risks: Once the processes and flows of the data have been mapped, then organizations must undertake Privacy Impact Assessments (PIAs)/Data Protection Impact Assessments (DPIAs) to ensure risky processing activities are identified and risk mitigation measures are applied. Risky data and processes can also be dynamically tracked throughout their entire lifecycle to ensure they are always appropriately protected.
Generate ROPA reports: Using the information recorded within the data map, automated Records of Processing Activities Reports (RoPAs) as mandated by privacy regulations and laws (such as Article 30 of the GDPR) can be automatically created.

Data Mapping Maturity Levels

Data mapping maturity is the level of automation an organization wishes to incorporate within their PrivacyOps Data Mapping exercise. The higher the level of automation the higher the maturity level. There are 3 levels of data mapping maturity and we will discuss these individually to help you understand where your organization stands.

Level 1: Streamline Data Mapping

This is the ground level for any organization's data mapping processes. This includes gathering data assets, creating data catalogs, conducting internal assessments, and assessing risks associated to the data and third parties. This level requires minimal and basic automation helping organizations transition into using the PrivacyOps data mapping platform. Maturity Level 1 includes:

Developing a central catalog for all data assets, and gathering information associated with data assets by importing data from existing asset databases (i.e spreadsheets).
Inviting subject matter experts to provide insights into data and process information via surveys and questionnaires.
Creating asset catalogs that include critical information about assets and their associated processes through manual input.
Conduct internal assessments to comply with global regulations.

Level 2: Data Discovery and Inventory

While gathering data from surveys and forms from stakeholders is a good first step, many gaps may still arise in this approach. Inputs provided may not be complete, new data assets may require periodic monitoring, and assets may evolve and change over time. Organization’s can ensure accuracy with continuous data scanning and discovery in Maturity Level 2 in which an organization’s data assets and records within the data catalog are automatically updated and risk assessments and workflows can be triggered by the results of these scan jobs. To ensure the accuracy of the information provided, organizations can use Maturity Level 2 automated data mapping to:

Scan on-premises and cloud-based data assets, applications, and databases.
Update data catalog details regarding assets and processes based on data scanning and discovery insights.
Generate automated data processing assessments and reports that trigger assessments based on data attributes changes or the discovery of new data attributes in data assets.
Track risks associated with data processes that are dynamically updated using automation.

Level 3: Robotic Automation with PrivacyOps

Securiti’s Data Mapping Automation simplifies the migration journey providing a comprehensive PrivacyOps framework for all your data compliance needs with Robotic Automation. People Data Graphs (PDGs) can be created within data maps to link personal data to its user identity enabling automated DSR fulfillment and other privacy compliance functions. Organizations can:

Discover personal information among all data assets and link it with individual identities.
Create a comprehensive dashboard of every individual, including personal data records, data residency information, data stores and locations of those data stores, data objects, and identities.
Fulfill DSAR requests and identify cases of cross-border data transfers.

Why is Data Mapping for CCPA Important?

CCPA applies to certain businesses who are operating in California or collecting personal information of the residents while doing business in California, and it requires organizations to be responsible and accountable for the personal information they collect. This is not possible unless a CCPA compliant data mapping activity is conducted. CCPA compliant data mapping activity is required by an organization for the following reasons:

Identifying protected PII: The CCPA provides a unique and broad definition for personal information. Any information that identifies, relates to, describes, and is reasonably capable of being associated with a particular California consumer or household qualifies as personal information. CCPA also provides relatively novel requirements around biometric information, education information, geolocation information, and household information, qualifying them as PII. To ensure data covered by the CCPA is adequately protected, organizations will need to know what data they are holding within their data stores which is only possible if they conduct a data mapping activity.
Knowing where the PII is coming from: Under the CCPA, organizations should state the category of sources from where PII is collected from in their Privacy Notices. Modern organizations collect and process data from thousands of individuals everyday across thousands of sources. In order to keep track of PII, organizations need to map their collection points - whether that would be someone filling a form or cookies dropped on their website, an organization should know where the data is coming from at all times to ensure it meets its regulatory requirements. It is also important to note that knowing where data is coming from can help ascertain what types of protections are to be enforced to it i.e PII collected from public sources is exempt from CCPA protections.
Managing consumer requests: Once PII is collected from the consumer, it needs to be stored in an efficient manner and should be easily trackable. This is because CCPA provides consumers the right to request access to their information and to have it deleted. An organization must verify, fulfill and respond to this request within a 45 days time period (extendable to a total of 90 days) or risk facing regulatory sanctions. With the hyperscale era upon us and multi-cloud storage on the boom this can be a challenge if the data has not been mapped and is stored in an unstructured data store or system.
Protecting stored PII: Additionally, the CCPA provides consumers the right to bring private actions against covered businesses if their PII is breached and exposed due to an organization’s inability to implement and maintain reasonable security procedures and practices appropriate to the nature of the information. How can organizations take different security measures for data stores depending on the nature of the PII stored within them without mapping its systems and stores and assessing and tracking the risk posed to them?
Keeping track of the PII your organization collects, processes and shares: Keeping track of collected PII and where it has been shared and what processes it is undergoing is very important to comply with many different requirements of the CCPA. For e.g Under the CCPA if a consumer requests to opt-out of the sale of their personal information, this opt-out request has to be relayed to all the third parties the PII has been shared with. Without a data map, it would be impossible for organizations to communicate this request since it would not know which third parties the requesting consumer’s PII has been shared with.

What's Next?

With data growing rapidly and regulations such as the CCPA encouraging organizations to keep track of their data, organizations will need to automate their processes in order to stay compliant with privacy regulations. Data mapping with manual methods is just not going to cut it given the added time, cost and resources - not to mention the risk of data sprawl and human error. In order to benefit from a truly robust data mapping structure, every business needs to adopt the PrivacyOps framework. Investing in such a framework will be immensely beneficial for any organization as it will be ready to comply with all data privacy regulations - not just the current ones such as the CCPA but also those that are in the pipeline, such as the California Privacy Rights Act (CPRA) which will go into force in 2023.

CCPA Data Mapping: What Do You Need To Know?

Table of contents

Why is Data Mapping So Difficult?

How Does Privacy Ops Data Mapping Work?

Data Mapping Maturity Levels

Level 1: Streamline Data Mapping

Level 2: Data Discovery and Inventory

Level 3: Robotic Automation with PrivacyOps

Why is Data Mapping for CCPA Important?

What's Next?

Bedrock of your Privacy & Security

Related Content

Newsletter

Company

Resources

Terms

Get in touch

CCPA Data Mapping: What Do You Need To Know?

Table of contents

Why is Data Mapping So Difficult?

How Does Privacy Ops Data Mapping Work?

Data Mapping Maturity Levels

Level 1: Streamline Data Mapping

Level 2: Data Discovery and Inventory

Level 3: Robotic Automation with PrivacyOps

Why is Data Mapping for CCPA Important?

What's Next?

Bedrock of your Privacy & Security

Schedule a LIVE One-on-One Demo

Share this

Join Our Newsletter

Related Content

Cookie Consent Requirements in Slovakia

Consent Requirements Under Thailand’s Data Protection Framework

Privacy-by-Design and Privacy-by-Default

Newsletter

Company

Resources

Terms

Get in touch