Skip to main content

What is data mapping?

Data mapping is the process of organizing, classifying, analyzing, and understanding the structured and unstructured data your company stores across multiple locations. 

Data mapping shows you what information your company has, how the data flows throughout the company, who has access to the data, and where it is stored. 

Data mapping may be done for a variety of purposes, but at Safe Online, our focus is on data mapping for privacy and data protection.  

Data mapping for security

GDPR data mapping for privacy and compliance

Companies collect heaps of personal data every day, and all it gets spread around in emails, cloud applications, local storage and more. This presents security and compliance challenges. Alarmingly, most companies do not know how much personal data they store and where.  

Mapping your data to create an up-to-date data inventory or data catalog is the best way to correct this problem. Data mapping makes it easier to continuously monitor your own compliance with regulations, avoid privacy risks and implement appropriate safeguards as part of your overall privacy strategy. 

Data mapping to identify high risk data

Most privacy regulations draw a clear distinction between personal data and sensitive personal data and how they should be handled. You should make this same distinction, and your policies and processes should reflect different treatments for different types of data depending on risk level. 

Data mapping to identify high risk data

Personal data has quite a broad definition and usually refers to information that alone or in combination with other information would allow someone to identify a person with reasonable certainty; and includes things like your name, date of birth, or email. 

Sensitive personal data is a more specific set of categories that must be handled with greater care, as its exposure could cause a person considerable financial or personal harm.  

Examples of sensitive information are a person’s financial and health information, race or ethnic background, political opinions, religious or philosophical beliefs, membership of a trade union, sex life or sexual orientation, genetic data and biometric data.  

A business’s sensitive information might include intellectual property, trade secrets, plans for a merger, or any other data that would negatively affect the business if it fell into a competitor’s hands. 

If you are not sure whether you have this type of data in your systems, where it is, or how much of it you store, use DataMapper to find and track sensitive data across all your company’s storage locations.

Sensitive data pyramid

Data mapping to avoid data breaches

Data breaches can be simple and unintentional. For example, one of your employees might leave sensitive files unlocked, their laptop open, lose it or leak their passwords. They may send sensitive data in an unprotected email/message or send it to the wrong person. Too often, the risk level of the data you store is not considered until it is lost. 

Human error and system glitches are not the only culprits. Sensitive data is also a favorite target of cyberattackers.

Minimise high risk data to protect it from hackers

Take phishing, a social engineering attack used to steal user data that is becoming more and more common. The attacker, masquerading as a trusted entity, dupes a victim (that might be you or one of your employees) into opening an email, instant message, or text message. The fraudulent message could trick you into revealing sensitive company information or it may automatically deploy malicious software on your systems (like ransomware). 

Ransomware attacks lock up your programs or data files, causing a costly interruption to your business, while data theft exposes you and all the personal data you store to the attacker.  

Once they’ve gained access to sensitive data like bank account or credit card numbers, personal health information, Social Security numbers, etc., cyber-criminals can do a world of damage to you and your customers. They can easily open up a line of credit in someone else’s name, empty bank or stock trading accounts, and more. 

Automated data mapping can organize data by risk level so you can minimise risk and give your most vulnerable data special protection from breaches. 

Why are data breaches such a serious concern?

The consequences of a data breach of sensitive information for companies will also vary, and can be relatively minor to catastrophic, depending on the amount of data leaked, its sensitivity, and your company’s level of negligence.  

In some cases, companies have been required to pay tens of millions of dollars in damage compensation to customers and financial institutions.

Besides substantial financial penalties, companies found in breach will have to spend money on responding to and recovering from it, as well as suffer a damaged reputation among stakeholders and customers. Customer turnover, business disruption, and system downtime will add to the heavy costs of a data breach. 

Why are data breaches so serious?

Since smaller organizations have higher costs relative to their size than larger organizations, they may not have sufficient resources to recover financially from a data breach. 

It is impossible to guarantee this will not happen to your company, but there is much you can do to prevent it and at the same time demonstrate ‘good faith’ when handling others’ personal data, minimizing potential liability.  

Having systems and processes in place to track and protect sensitive data (and documenting those processes) can show authorities and others that your company did everything required to ensure the security of people’s sensitive data and it can reduce your company’s liability in case of a data breach.  

Want more free data privacy tips?

Get the latest data privacy management news, trends and expert tips delivered straight to your inbox.

    AI data mapping using machine learning

    DataMapper uses powerful AI and machine learning to track, classify and monitor the personal data your company has collected.

    1. Find out where all your data is stored 
    2. Classify data by its sensitivity/risk level, type and format 
    3. Choose and implement effective and compliant security controls  
    4. Create accurate Data Privacy Impact Assessments 
    5. Report personal data breaches and security incidents on time 
    6. Continuously monitor your risk level and assess the impact of your data processing activities 
    7. Keep documentation and create audit reports to comply with other legal requirements 

    Would you like to learn more about how to use DataMapper to easily discover, map and continuously monitor all your team’s sensitive data? Learn more  

    Sebastian Allerelli

    Governance, risk, and compliance specialist