Old School Data Mapping is Creating a False Sense of Security
This year saw the second state in the US, Virginia, enact a comprehensive privacy law. The dominos are starting to fall quickly, with dozens of other states waiting in the wings. While the debate continues to rage on about whether we’ll see a federal privacy law soon, between the European Union’s General Data Protection Regulation (GDPR), the 2020 California Privacy Rights Act (CPRA), and Virginia’s new Consumer Data Protection Act, organizations have plenty to keep them busy on the data privacy front.
One thing that all these regulations have in common is the requirement to understand your data estate. This means knowing what personal, sensitive data you are collecting while doing business. But, of course, you can’t begin to understand your data without an accurate data inventory. According to the International Association of Privacy Professionals (IAPP) survey, most organizations build their data inventories informally using manual methods such as email, spreadsheets, and in-person interviews.
A similar survey found that data mapping is the most demanding CCPA requirement to fulfill. In both surveys, locating unstructured sensitive data was reported as the most challenging type of data subject access request to achieve by a wide margin. This task can be particularly trying when the definitions of sensitive data vary and are evolving quickly. For example, under the CCPA, “olfactory” data would meet the definition of personal information, but that might not be the case under another’s state’s framework.
Manual Mapping is Fraught with Failure
Manual data mapping is lulling organizations into a false sense of security. Manual mapping is prone to human error and rife with inaccuracies, as, with the amount of data being created, there is simply no way to know where all your data really lives. The main reason is that current processes data flows are created via interviews with company stakeholders, and therefore the resulting creations show “where the data is supposed to be located”, not where actual data elements exist.
Chief Privacy Officers, Data Protection Officers, and Chief Information Security Officers look to their data inventories to deliver an end-to-end view of their data estate. Unfortunately, an inaccurate picture of your data estate means that no team – whether that’s IT, Legal, Privacy, or Cyber – know where vulnerabilities lie. In today’s threat environment, that is not a luxury anyone can afford to have, especially when many organizations continue to ignore user-generated data.
An inventory must be based on accurate data flows and the underlying data elements despite the complexity and evolution of data. To create data visibility, a data inventory must continuously and accurately identify data risk and enable that information to be shared across an organization. Simply put, a “stale” or outdated data map isn’t of use to anyone.
The harsh reality is that data mapping solutions used by most organizations, from SMBs to Fortune 500 enterprises, are far less accurate than was once believed due to the problem of prolific data creation. As a result, organizations are using inaccurate data profiles to guide their security and privacy choices. When done right, a data inventory can be the bedrock of all legal, security and privacy decisions.
Isolate Data Problems at Scale
ActiveNav InventoryTM discovers, maps, and aggregates data from diverse data repositories. Built to help organizations gain visibility into their sprawling data estate, ActiveNav Inventory comes with scoring rules to help data professionals understand where sensitive data exposure lies within their organization. The hybrid-cloud infrastructure means that it’s quick to deploy, won’t slow down networks, and provides near real-time updates to your data inventory. In addition, the agentless architecture brings together data into one unified view so that you always have a single source of truth.
A Data Inventory Isn’t Just for Compliance
While the initial requirements for a data map/inventory may originate from GDPR Article 30, or other privacy regimes, a data inventory often uncovers data problems that you didn’t even know existed. For example, a data inventory can identify sensitive data that can pose legal, financial, and reputational in the event of a data breach. It can also be used for eDiscovery or for data divesture requirements.
Developing a continuous, automated data inventory will ensure that your data management teams can make informed decisions using accurate data. ActiveNav Inventory will automate your data mapping processes to optimize data visibility and achieve regulatory compliance.
Book a personalized product today to see how quickly you can build a comprehensive data inventory.