Guys, I just couldn’t resist. It’s been 10 years since this happened and it still tickles me to think about at least once a month. It has literally nothing to do with this post but after 14 years of practicing law I’ve learned that you have to make your own fun. Anyway…
I’ve noticed a pattern over the years where potential clients have asked me what they need to do for GDPR or CCPA compliance, only to go radio silent when I advise them that taking an inventory of their personal data, or data mapping, is the first step. It hasn’t happened enough to make me worry where my next meal will be but it’s happened enough that I’ve learned to detect signs of the impending ghosting.
First, they generally have done no privacy work to date and may have even taken a “copy and paste” approach to their online privacy policy.
Second, they are very interested in receiving templates of internal policies but hesitant to give me the kind of information I would need to tailor those templates to their business.
Third, they get eerily quiet when I tell them that we need to identify the personal data in their possession before we pass GO and collect $200.
I get where they are coming from – they’re strapped for time, strapped for money and looking for a quick way to appear compliant. But as their lawyer (er, wannabe lawyer) I wouldn’t be doing my job if I let them skip data mapping. Why? Because it is literally impossible to meet compliance obligations under the European General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and Federal Trade Commission (FTC) standards unless we go back to 4th grade and map out the 5 Ws:
What categories of personal data do you collect (names, government ID numbers, phone numbers, email addresses, device identifiers, payment card information)?
Who does the personal data belong to (customers, employees, vendors, website visitors), who did you collect it from (the data subjects themselves or a 3rd party intermediary), and who are you sharing it with (service providers or other third parties)?
Why did you collect the personal data (for what business purposes) and how are you processing it?
When did you collect the personal data?
Where are you keeping the personal data (in which databases or systems), where is the data subject located, and where are you transferring their data to?
Specifically, unless you data map, you can’t accurately:
Fulfill various data subject rights such as access, rectification, opt-out and erasure under Articles 15-22 of the GDPR and Sections 1798.100, 105, 110, 115, & 120 of the CCPA.
Implement consent in line with Articles 7-10 of the GDPR or for retroactive material changes to your privacy policy in line with FTC guidance.
Keep a record of processing activities in accordance with Article 30 of the GDPR.
Implement contractual clauses with your vendors to align with the requirements of Article 28 of the GDPR or to explicitly define a vendor as a service provider under Section 1798.140(v) of the CCPA.
Comply with the restrictions on the cross border transfer of personal data in Articles 44-49 of the GDPR.
Implement privacy by design initiatives in line with Article 25 of the GDPR and FTC guidance.
Meet the data breach notification obligations under Articles 33 & 34 of the GDPR and the breach notification laws of every single State in the U.S. (yup, it’s all 50 now!).
If I haven’t scared you into compliance yet and you prefer the carrot to the rod, wouldn’t it add value to your business if you knew the particulars of your data instead of guessing? Wouldn’t it be great to share accurate information with your board of directors? Wouldn’t it be nice to go to sleep knowing that if you woke up to an email saying your entire CRM database was compromised, you would be in a prime position to move quickly and decisively?
The crazy thing is, regardless of what technology product vendors may tell you, conducting a data mapping exercise does not require 6 months and 6 figures. Believe it or not, it can be done with a free spreadsheet in weeks. One of my clients recently did a preliminary map in just one day! I was tempted to buy gold star stickers just so I could give them one.
Will a spreadsheet work for a billion dollar company with global operations and complex data processing operations? Maybe not. But I believe that’s an edge case and most companies will do just fine with a manual process. Why? Because at the end of the day, companies are people (what I mean is, they consist of people with jobs to do; I am NOT down with Citizens United) and attempts to relegate privacy compliance to an IT implementation are going to be far less effective than establishing clear policies, processes, and a distribution of responsibilities across business stakeholders.
In short, if you have a lawyer who can help you strategize (ahem, may I suggest this lovely lady) and someone who can work a spreadsheet, then you can data map. And if you still don’t want to data map after I’ve explained all this… well, then I’m happy to help when the regulators come a callin’. :)