INFOCUS. Using Data Mapping to Manage Data Governance Risks. Data- Mapping Stakeholders BY SIMON MCDOUGALL AND SAMITA PATEL

Transcription

1 promontory.com INFOCUS SEPTEMBER 8, 206 Using Data Mapping to Manage Data Governance Risks BY SIMON MCDOUGALL AND SAMITA PATEL The explosive growth in the use and transmission of data has made it more difficult than ever for organizations to understand how they collect and manage personal data at a time when intensifying regulatory rules and media attention have magnified the risks of failing to do so. Organizations are increasingly launching data-reliant digital initiatives to realize the full potential of customer information, which in turn requires data handling and privacy practices that comply with laws and regulations. An organization s size, complexity, and geography often compound that challenge. Simon McDougall is a managing director at Promontory, and leads its global privacy and data protection practice, advising firms on governance, risk, and regulatory issues related to their data and records. Data mapping provides a consistent way of analyzing, documenting, and graphically representing how information flows within an organization and among stakeholders (including third parties), systems, and jurisdictions, allowing the organization to identify the potential points at which that information may be vulnerable. The exercise provides companies a structured and efficient approach to identifying risks and addressing compliance gaps in data transfers and similar activities, while helping them balance business objectives and regulatory requirements. Developing data maps in alignment with the data lifecycle Collection Samita Patel is an associate at Promontory, and advises clients on data protection and privacy-related matters, including support in building data-mapping frameworks. Disposal, Destruction, and Retention Storage Privacy Records Management Information Technology Data- Mapping Stakeholders Information Security Marketing Human Resources Use Access and Transfer

2 starting with when personal data is collected and tracking its use, disclosure, retention, and eventual disposition can also help identify all the groups within an organization that may have an interest in, or benefit from, understanding its data flows. Data Mapping Promotes Stronger Governance, Risk Management, and Compliance Data mapping supports an organization s overall data-governance policy and procedures, allowing it to demonstrate compliance not only with legal requirements, but with corporate standards and risk appetites, for handling data. Maintaining a record of key practices for personal-data handling may be necessary to assure organizations, clients, employee representatives, business partners, auditors, and regulators that data handling is understood and managed in accordance with international standards, local requirements, and sound data-governance principles. For example, companies that adhere to the Payment Card Industry Data Security Standard are required to map the processing of payment-card details. Furthermore, the European Union s General Data Protection Regulation replaces the need to complete local administrative filing and registration requirements with specific requirements for data controllers and similar requirements for data processors to maintain a record of processing activities under their responsibility. Organizations are increasingly considering data mapping to demonstrate compliance with GDPR requirements. Data maps can also help demonstrate a multijurisdictional organization s commitment to complying with privacy and data protection principles underpinning the EU Binding Corporate Rules and U.S Privacy Shield schemes for EU-compliant cross-border data transfers. Data Mapping Supports Risk and Compliance Assessments Data-mapping exercises often serve as the foundation for privacy-related risk-assessment activities and allow organizations to identify vulnerabilities in key business processes and systems for personaldata handling. When combined with privacy-compliance assessments, data maps help organizations identify gaps in privacy controls to assess and mitigate risk, and improve their data-handling practices. Many organizations have undertaken some level of data mapping during the initial phases of largescale privacy-compliance initiatives to chart the use and flow of personal data across the enterprise. Common areas for data mapping include: Client and Customer Data HR Data Client contact and marketing lists Customer profiles and preferences Card payment and other financialrelated data Data on social media and customer interactions Vetting and employee monitoring HR records management Occupational health and medicalrelated data Compensation and benefits data PROMONTORY Sightlines InFocus SEPTEMBER 8, 206 2

3 Data maps are valuable tools in assessing risks arising from potential sources of data-handling incidents, highlighting high-risk areas and providing a means to identify and reduce the likelihood of future data breaches. Specific Business, Risk, and Compliance Benefits of Data Mapping Data mapping can benefit businesses by driving more efficient operations, while supporting stronger risk and compliance processes. Stronger vendor management Data-mapping outputs can provide a centralized record of both internal and external processes involving the sharing or transferring of data, including data shared with vendors. Several functions such as legal, information-security, and vendormanagement teams may be interested in data-mapping outputs. They may use data maps to support vendor risk management activities, including managing risk and compliance related to domestic and international transfer requirements and supporting the monitoring of vendors privacy and security obligations. The exercise may also help vendors demonstrate they are in compliance with privacy requirements. Better measurement of new technology and organizational change Maintaining a centralized record of company data flows can help reduce costs and efforts in assessing the impact of new technology and organizational change. It may be necessary to assess data flows before introducing a new business process, or integrating or decommissioning a system. Companies assessing a proposed merger, acquisition, or sale of an existing business can use a centralized data-flow inventory to minimize the time and effort in determining which data flows are affected, and in turn, support organizations in making thought decisions in managing personal data. Standardized reporting Certain business lines may also benefit from using data-mapping outputs as a standardized report in sharing data-handling practices with other business lines or senior management. They may also be helpful in providing examiners and internal or external audit with an understanding of the key activities for handling personal data. Increased data availability and responsiveness Maintaining centralized data-mapping records provides a snapshot of key data repositories, which supports efficient and timely responses to requests for information from customers, prospects, clients, investors, government bodies, law-enforcement agencies, and regulators. PROMONTORY Sightlines InFocus SEPTEMBER 8, 206 3

4 EMPLOYEE ONBOARDING MAPPING THE DATA LIFE CYCLE (EXCERPT) Collection Welcome letter; newhire forms Offer and disclosures sent 3 G6 G26 B B2 B30 B3 B B6 B2 B30 C2 C5 C8 Non-U.S. Job Candidate/New Employee Completes paper-based application Offer made Non-U.S. HR Manager Paper benefit forms are scanned and sent to U.S.file room B B2 C2 Offer letters stored Online application completed Signed form returned on first day Send to fileroom Extending offer transfers data to Workday Accesses selected new hire data B30 C U.S. Job Candidate/New Employee B3 C8 6 2 C2 C5 Server C8 Storage 4 U.S. HR Associate HR Server Communication of background check results Enters employee data in Workday MS Exchange A0 0 Background check obtained before offer is made B B30 B3 Archive/Retention Enters data B HR Shared Drive B6 C2 B2 C5 B30 C8 Key U.S. Candidate Application Process U.S. Background Check Process U.S. New Hire Administration Non-U.S. Candidate Application Process Non-U.S. Candidate Application Process 2 3 Process Number A (#) C (#) Internal External Reference to Sensitive Personal Data Reference to Data Category The above graphic is an excerpt of a larger data map. Map areas diagramming data usage and transfers are not shown. B (#) G (#) Reference to Special Data Identified Privacy Gap PROMONTORY Sightlines InFocus SEPTEMBER 8, 206 4

5 Identification of duplicate data sets and business processes Data-mapping exercises often identify duplication and storage of excess data, which is costly and risky. Exercise outputs can serve as a guide to evaluating and consolidating databases and processes. Increased awareness of data handling Gathering the information required to map the flow of personal data particularly when part of a privacy-compliance assessment helps to increase awareness of privacy considerations for personal data. Support for overall data-governance policies and procedures: Data mapping can be a more tangible way for employees to understand and apply data-governance policies and procedures, such as those pertaining to data classification and access management. Tips for Success in Data Mapping Consider taking the following steps to gain the most value from a data-mapping exercise: Define objectives and priorities Clearly defined objectives and priorities will guide decisions about desired outputs, including what those outputs should look like and how they will be used. If the objective is to monitor privacy compliance, ensure the mapping exercise identifies risk or assesses existing privacy controls related to data flows. While visual maps are useful snapshots of data handling for reporting or quick reference, the underlying information should provide necessary detail to make effective and informed decisions. Consider model sustainability A one-off data-mapping exercise captures a particular point in time. To gain the most value from the exercise, develop a model that allows for the periodic or ongoing update and maintenance of the data-flow information. The effort and cost of data-mapping activities correspond to the organization s complexity, the level of detail required in relation to data flows and process-level data handling, and the frequency of process, technology, and organizational change. Make the data-mapping methodology scalable The urgent priority may be mapping specific business areas or jurisdictions, but the chosen solution should be flexible enough to accommodate other areas in the future, along with specific requirements of those areas. Consider the time frame, effort, and budget to achieve the objectives These factors essentially determine the structure of a data-mapping exercise and whether to manage the effort internally or seek external resources, solutions, or tools. PROMONTORY Sightlines InFocus SEPTEMBER 8, 206 5

6 Assess existing data-mapping solutions and tools Data-mapping solutions are steadily increasing, from off-the-shelf software products to consultancy support, and vary in maturity, resources, and cost. Select the solution that supports your objectives and can be tailored to suit business requirements. Data mapping can support compliance with fast-changing domestic and international privacy requirements, particularly in the case of cross-border data flows and multijurisdictional data management. Organizations that have a strong grasp on how they handle personal information will have a head start in responding to these changes. A version of this article appeared in the August 206 issue of Privacy Laws & Business. Jim Gregoire contributed to this article. PROMONTORY Sightlines InFocus SEPTEMBER 8, 206 6

7 PROMONTORY Sightlines InFocus SEPTEMBER 8, 206 7

8 Contact Promontory For more information, please call or your usual Promontory contact or: Jim Gregoire Senior Principal, San Francisco Rob Grosvenor Director, London Marc Loewenthal Director, San Francisco Simon McDougall Managing Director, London Samita Patel Associate, London Michael Spadea Director, San Francisco To subscribe to Promontory s publications, please visit promontory.com/subscribe.aspx Follow Promontory on Promontory Financial Group helps companies and governments around the world manage complex risks and meet their greatest regulatory challenges. We are the world s foremost experts in financial risk, regulation, and compliance. Former U.S. Comptroller of the Currency Eugene A. Ludwig founded Promontory in 200. Promontory Financial Group, LLC 80 7th Street, NW, Suite 00, Washington, DC Telephone Fax promontory.com 206 Promontory Financial Group, LLC. All Rights Reserved. PROMONTORY Sightlines InFocus SEPTEMBER 8, 206 8