Data Mapping creates an inventory of the personal information in your business systems. That inventory includes whose information you have, who you share it with, why you have it, where you store it, what the lawful basis is for processing and how long you keep the information. Data Mapping has two focuses: 1) personal data attributes, and 2) where you get the data from.
This user guide describes the functionality of Data Mapping within the DPDx application. reThink Trust recommends creating a Systems Inventory (detailing all locations where you store and manage personal data) outside of DPDx and using that as the basis for creating your data mapping catalog. Depending on the size and complexity of your data mapping, it may be beneficial for you to use the DPDx Export/Import feature. If you would like to review your organizational needs, please contact reThink Trust support https://support.rethinktrust.io/. If appropriate, we can provide detailed instructions and a workbook template for using the Export/Import method.
The data map serves as the “heart” of personal data management for many privacy-related functions, including:
- Reports: Collection Sources, Record of Processing
- Governance: Record of Processing, Privacy Notices
- Third Parties, including Service Providers / Processors and other Data Controllers
- Privacy Impact Assessments
- Data Subject Access Requests (DSAR)
- Consent Management
- Data Events and Incidents, including Personal Data Breach
By creating your initial data mapping and updating it when you add systems, personal data collection, new processes or vendors, you leverage the map for privacy risk management and privacy operations. You enter the data only once; DPDx references the data mapping throughout the platform.
Organize by Department or by Data Subject Type
Before you begin data mapping analysis, determine whether you will do data mapping by Department (who uses the data) or by Data Subject Type (who the data is about). We strongly recommend by Department. Additionally, you should have already chosen mapping by Department in Company (Org) Setup. Be thoughtful in your setup because if you decide to change the data mapping approach, the application will delete your prior mappings. If you do not have compelling reasons to organize by Data Subject Type or if you are unsure, complete the mappings by Department. The workbook that we provide is organized by Department. For additional guidance, contact us at https://support.rethinktrust.io/.
Take a moment to confirm or change this setting in DPDx > Settings (cog in top right) > Your Plan > My organization does data mapping by department (toggled on or off).
Notes about Data Mapping option:
- Always do a Data Mapping > Export BEFORE changing the toggle.
- WARNING: When you toggle this on/off, all of your current data mappings are deleted.
- TIP: As you are starting out with data mapping in DPDx, you might want to create some sample entries. Toggling data mapping by department off and back on again can be used as a convenient way to delete all mappings and begin again.