PrivacyOps Certification

Course content

Create Account

Log in / Create account to save progress and earn badges

Module 13
PrivacyOps Certification
View course details →

Data Mapping Maturity Levels

Mark Complete Enroll now to save progress and earn badges. Click to continue.

Data Mapping Maturity Levels

Data mapping maturity is your organization’s level of data mapping automation. The higher the level of automation, the higher the maturity level. There are two levels of data mapping maturity, and we will discuss these individually to help you understand them better.

Maturity Level 1 – Data Mapping with basic automation

Many organizations currently use manual and legacy techniques to build and develop a data map. As previously explained, these systems are not only time-consuming, but they also increase the risk of PI data sprawl into other systems. This is where the PrivacyOps Data Mapping platform can step in.

While full automation is the ultimate goal of PrivacyOps compliance, organizations need time to adjust and migrate their existing processes to this new paradigm. Maturity Level 1 helps organizations transition and ease into using the PrivacyOps data mapping platform. Organizations can update their system of record to a more modern, consolidated, collaborative, and intelligent system while retaining their existing processes for manual input and construction of the data map. 

It is important to note that Maturity Level 1 only provides minimum automation (workflow automation, dynamic visual data maps, automated Article 30/RoPA reports) and is the first step in the PrivacyOps framework.

Step 1: Catalog new assets, vendors, and institutions.

Organizations can populate their data maps catalog with new and existing assets, vendors, and institutions through: 

  • Manual input through an easy-to-use and purpose-built UI; or
  • Importing these data sets from a CSV; or
  • Discovering new assets, vendors, and institutions through discovery assessments (discussed in more detail in Module 5)
Data AssetsVendors
SaaS applications and data stores are used to collect, store, and process personal information. You must manually create entries and capture as many details/attributes of these assets.These represent relationships with suppliers and vendors who offer assets and services or act as sub-processors for your organization.
These are controllers, processors, joint controllers, and data recipients when you sell data. You might also use them to identify entities that act as sources, storage locations, and data destinations.Every process has three fundamental aspects from your data catalog: A source, an asset, and a destination for the data. These are combinations of the elements described above that show your data process flow in graphic and tabular forms. You create processes between assets, vendors, and institutions using connectors.
Step 2: Describing processes or data flows.

The relationships between the various assets, vendors, and institutions within the data mapping catalog are generally classified as either processes or data flows. Organizations must record these relationships within a data map for a holistic picture of the personal data. These processes or data flows can be recorded through:

  • Manual input through an easy-to-use and purpose-built UI; or
  • Discovering new processes through discovery assessments (discussed in more detail in Module 5

Step 3: Initiate DPIAs/PIAs on the assets and processes.
  • Every processing activity utilizing data assets needs to be evaluated for its impact on the data subjects’ data privacy. 
  • Risk mitigation measures, which make the processing activity less risky for the data subject’s privacy, also need to be recorded. 
  • This fundamental accountability is also a legal requirement. Many important data protection laws, such as the GDPR, hold organizations liable. Organizations may face hefty fines and other penalties for failing to undertake these assessments. 
  • Thus, a holistic data mapping exercise also conducts Data Protection Impact Assessments/Privacy Impact Assessments. You can find more details on DPIAs/PIAs in Module 5. 
Step 4: Generating ROPA reports.

Once a data catalog:

  • is populated correctly with the data assets, vendors, and institutions the organization manages; 
  • has a record of the processes and data flows between these various entities;
  • has been evaluated for privacy risks through DPIAs and PIAs;

Then organizations can create automated Record of Processing Activities (ROPA) reports – which are mandatory under most major privacy laws – such as under Article 30 of the GDPR. 

These reports essentially document the processing activities and the flow of personal data that is collected, retained, or received by the organization. 

Other functionalities in Data Mapping Maturity Level 1
  • Inviting subject matter experts to collaborate and enrich existing data catalog items through the UI or through enrichment assessments within the secure privacy portal.
  • Creating or enriching asset catalogs with critical information about data assets such as Security posture, PD Types and counts, types and count of data subjects handled, inherent risk etc.
  • Record associated processes related to documented data assets through accessible, informative and dynamic visual data maps which can be utilized to record the lifecycle of data and detect where the data is flowing within and outside the organization. 
Maturity Level 2 – Data Mapping with advanced automation

The PrivacyOps Data Mapping Maturity Level 1 allows organizations to consolidate their manual data mapping efforts onto a single and secure technology platform. The platform is more efficient than legacy systems such as spreadsheets. Many processes recorded using legacy data mapping systems may be quickly outdated because of the dynamic nature of modern data processing activities.

Similarly, data mapping at Maturity Level 1 might still leave significant gaps as there is an increasing risk of missing essential data assets or attributes using manual techniques.

Organizations can use automated data mapping to ensure consistency of the information documented on a data map by shifting to Maturity Level 2. At this level, organizations leverage AI-powered automation and data intelligence to construct and maintain comprehensive, holistic, and dynamic data maps by:

  • Using asset discovery connectors to import data assets from CMDBs, data catalogs and cloud services such as AWS, Azure and GCP to construct a data map or update existing ones within the privacy portal.
  • Continuously scanning or scheduling periodic scans of data assets, including on-premises and cloud-based data assets, applications, and databases to detect changes in the type and volume of data elements, type and residence of data subjects, access rights to data systems, and data retention/disposal.
  • Continuously updating data catalog details regarding assets and processes based on the results of the automated data scanning and discovery insights. Visual data maps are dynamically updated, and they reflect a real-time view of the personal data being processed by your organization.
  • Use connectors and a visual and completely customizable workflow generator in the privacy portal to set up various automated triggers and tasks based on the results of the automated scans;
  • Be able to track PD Drift across various data processing activities and react to the the drift through automated targeted workflows and assessment related actions – such as triggering a DPIA when sensitive PD attributes are detected within a data processing activity;
  • Tracking risks associated with data processes that are dynamically updated using automation. Ensuring risk drivers are addressed and a risk mitigation document is filed for compliance.

Data Mapping Maturity Level 2 helps create dynamic, holistic, and updated data maps that can be used as a foundation for PrivacyOps compliance and ensure Privacy by Design principles are implemented across your organization. When an organization’s data is fully mapped, fulfilling DSR requests and other regulatory requirements becomes easy and efficient. 

Modern Data Mapping: AI-powered robotic automation

Robotic automation helps organizations improve their PrivacyOps compliance with automated Risk Assessments, Privacy Policy Creation and Management, Universal Consent, Data Subject Rights Fulfillment and Data Breach Management, and Cookie Consent. These privacy products help organizations address data privacy regulations worldwide. Undertaking a data mapping activity using the PrivacyOps platform provides the much-needed foundation for all other PrivacyOps operations using advanced AI-powered automation and data intelligence.

Another example of a more advanced feature that results from Data Mapping Automation is People Data Graphs (PDGs). These Data Graphs help:

  • Discover personal data of data subjects within an organization’s structured or unstructured data assets and link this information to  individual identities.
  • Identify and locate data stores and data objects within an organization’s systems containing personal data of data subjects and connect it with their unique, and identities.
  • Create a comprehensive and searchable dashboard of every individual data subject whose data is stored in an organization’s system, including their Personal Data Records, Data Residency information;;
  • Fulfill DSAR requests and identify cases of cross-border data transfers.

Automated DSAR fulfillment saves organizations time, money and strengthens brand trust resulting in improved customer loyalty. You will read more on this in the next module.


Get in touch

[email protected]
Securiti, Inc.
300 Santana Row
Suite 450
San Jose, CA 95128

Sitemap - XML Sitemap