Skip to content
CPA - Colorado Privacy Act
01: Data Mapping

CPA Step 01

While creating a data map is not explicitly stated in Colorado’s privacy law, a data map is the foundation for privacy compliance. Your business must have full context of all the data you are processing to have granular control over your organization’s data.

To accomplish this, you’ll want to create a visual representation, or “map” of:

TitleIn simple terms...Description
Data CategoriesWhatThe types of personal data you are processing. Common categories of personal data include: names, email, address, location, etc. These are personal information belonging to an identified or identifiable user.
Categories of ProcessingWhyThe reason or purpose for which you are processing the data. To identify the correct purpose, consider how that information is being used. An example would be a statement such as "We use email and names for personalized marketing." In this case, the category of processing would be "personalized marketing."
SystemsWhereThe systems in which the data is being processed. Think of this as your internal technology systems or third-party vendors. Taking the personalized marketing example from above, the system might be your CRM like HubSpot or Salesforce.
LocationWhereA slightly more precise version of where, this is about knowing where the data geographically resides. For example, perhaps you use AWS to cloud host your databases. The AWS region might be the U.S., Europe, or elsewhere. That location should be documented.
Data Retention PolicyHow long you keep dataPrivacy best practices dictate that you should keep data for as little time as possible. That is to say, only store and process data for as long as it's truly necessary. For this reason, you should have a record of when and how you delete each category of data that you process.
Data Processing AgreementLegal PoliciesIf users' personal data is processed by a third party on your behalf, e.g. a SaaS company or an external business, you should establish a contractual agreement on how they comply with privacy regulations and manage data on your behalf. This is often called a Data Processing Contract or Data Processing Agreement.
Security ControlsSecurity PoliciesFor each of your systems, you should have a record of the security controls and policies enforced on that systems. That way, you can ensure that you are adequately protecting your users' data.

Manual data mapping is a labor-intensive process that will involve multiple members of your business. An accurate manually generated system and data inventory can take several months to create.

If you'd like to accelerate your data mapping and are unsure where to start, ask a question on the Fides Slack Community (opens in a new tab).

If want lightning-fast, automated data mapping with Privacy Engineering Intelligence from Ethyca (opens in a new tab), get in touch now.