Data Mapping for GDPR, CCPA and Privacy Regulations

Cyber security and privacy experts from Kroll lead CCPA and GDPR data mapping exercises to identify and catalog crucial data categories, elements and processing activities, helping meet different regulatory requirements.

Contact Cyber Experts
/en/services/cyber-risk/assessments-testing/data-mapping-gdpr-ccpa /-/media/feature/services/cyber-risk/data-mapping-desktop-banner.jpg service

The California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR) mandate for detailed data inventories are now reflected in many other privacy regulations worldwide and continue to pose a significant challenge for organizations of all sizes. Whether you’re looking for specific assistance with Article 30 compliance or need a robust solution to meet multi-jurisdictional requirements, Kroll experts deliver accurate and efficient data inventory solutions. 

Leveraging frontline expertise from thousands of cyber security investigations and hundreds of detailed cyber risk assessments every year, our security and privacy experts know the questions to ask and the stones to uncover to help your organization understand, describe and identify how protected data flows within your systems, to and from vendors and internationally. Our extensive data mapping solution provides deeper understanding of data ingestion, storage and security and helps better document the business reasons for its retention and use.

How We Approach Data Inventory Projects

Watch as Jonathan Fairtlough, a managing director in our Los Angeles office, gives a brief overview of our approach to data mapping.

Learn more about the fundamental steps to building a data inventory.

Key Data Mapping Answers We Collect

Most data mapping regulations specify the documentation and management around fundamental questions covering the entire data lifecycle , such as:

  • What data is collected where it is stored, for how long and who has access to it?
  • Is transferred outside of the organization or outside of the country (and where)?
  • What security controls exists around data collection, sharing and storage?
  • How is the data processed and what is the legal basis or business reason for processing that data?
  • Is the data considered sensitive?
  • How is the data transfer protected?

Our experts initially focus on understanding as much about your environment to prioritize the most sensitive systems before examining additional areas. We follow a five-step process that is customized to fit the regulatory requirements of your organization.

Identifying Protected Information 

Kroll will assist your organization in determining how to best categorize the protected information (as defined by your legal team) held by your organization. With the plethora of information that an organization may hold, it is important to understand the types of protected information you have, whether it’s considered sensitive, the business reasons for processing it and where it is stored and for how long. Kroll will work with your legal team to determine the appropriate categories of data that may include, but are not limited to: 

  • The nature and types of the protected information
  • Location (e.g. databases, applications)
  • Categories of sources
  • Internal access rights
  • Forms of collection
  • Data flows, including transfers to affiliates, service providers and internationally 
  • Questionnaires and Document Reviews

Effective data maps require input from almost all departments but especially IT, information security, legal, compliance, marketing and human resources. Kroll will deploy questionnaires to key stakeholders to elicit information on critical information assets, systems and security processes.

Additionally, Kroll will request documentation regarding policies and procedures governing the security and use of the information under the various data privacy regulations. Our practitioners will examine receipts, storage, handling and management of the protected data.

 

Deploy Data Mapping Software

Based on the questionnaire responses and the document review, Kroll’s experts work with your organization’s IT personnel to configure and deploy the data mapping software that will identify and document structured protected information.

 

Onsite Visits 

Kroll experts perform interviews with stakeholders to verify conclusions drawn from the questionnaire and the data mapping software findings. They will fill in gaps and perform a visual walk through of the protected information’s data lifecycle on your organization’s systems. 

 

Deliver Completed Data Mapping and Template 

Kroll experts will leverage questionnaires, existing documentation, data mapping software results and onsite information to build a full data map and inventory and establish a template upon which your privacy professionals can make ongoing adjustments. 

 

Beyond Compliance, Data Mapping is a Good Business Practice

While the initial mandate for a data mapping exercise may come from GDPR or other privacy regulations, such efforts often uncover practices organizations had forgotten about or didn’t even know existed. Our experts have helped a client identify terabytes of sensitive data, posing a tremendous legal, financial and reputational risk in the event of a data breach, simply because a retention policy had not been fully configured. 

Data mapping provides great clarity that will ensure your risk management team can make informed decisions. Kroll experts will help manage your data inventory to optimize data security, better understand your data flows and achieve regulatory compliance. Take the extra steps today in mapping your data to protect your organization tomorrow. Talk to a Kroll expert. 

Connect with us
Yvette Gabrielian
Yvette Gabrielian
Director
Data Insights and Forensics
Los Angeles
Phone
William Rimington
William Rimington
Managing Director
Cyber Risk
London
Phone
Richard Davies
Richard Davies
Associate Managing Director
Cyber Risk
Hong Kong
Phone

See all servicesStay Ahead with Kroll

Valuation

Valuation of businesses, assets and alternative investments for financial reporting, tax and other purposes.

Compliance and Regulation

End-to-end governance, advisory and monitorship solutions to detect, mitigate and remediate operational security, legal, compliance and regulatory risk.

Corporate Finance and Restructuring

Comprehensive investment banking, corporate finance, restructuring and insolvency services to investors, asset managers, companies and lenders.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Environmental, Social and Governance

Advisory and technology solutions, including policies and procedures, screening and due diligence, disclosures and reporting and investigations, value creation, and monitoring.

Investigations and Disputes

World-wide expert services and tech-enabled advisory through all stages of diligence, forensic investigation, litigation and testimony.

Business Services

Expert provider of complex administrative solutions for capital events globally. Our services include claims and noticing administration, debt restructuring and liability management services, agency and trustee services and more.

See all insightsExplore insights
Cyber

Q4 2021 Threat Landscape: Software Exploits Abound

Feb 16, 2022

by Keith WojcieszekLaurie Iacono George Glass

Cyber

ALM Intelligence Pacesetter Research – Cybersecurity Services 2020

Oct 28, 2020

by Jason N. SmolanoffAndrew BeckettMarc Brawner

Cyber

Kroll Ransomware Attack Trends – 2020 YTD

Oct 06, 2020

by Devon AckermanKeith Wojcieszek Laurie Iacono

Cyber

CVE-2020-1472 (Zerologon) Exploit Detection Cheat Sheet

Oct 22, 2020

by William Rimington Carlos Garcia, Simone Marinari, Roman Guillermo

News

Kroll Partners with Armis to Extend Preparedness and Response for OT and ICS Environments

May 09, 2022

News

Kroll Named in the GIR 100

Oct 23, 2020

News

Kroll Named a Cyber Security Services Pacesetter by ALM Intelligence

Oct 28, 2020

News

Kroll Enhances Managed Detection and Response Solutions with Kroll Responder

Sep 17, 2020