CPRA Step 01
Create a Data Map: Inventory of your systems and data uses
Under the CPRA creating a data map is not a strict legal requirement however the foundation of preparing for any privacy law is to ensure you have comprehensive context for what data you are processing.
In order to accomplish this you’ll want to create an inventory, or “map” of:
|Title||In simple terms...||Description|
|Data Categories||What||The types of data, more commonly known as categories of personal data you are processing. Categories of personal data commonly include names, email, address, location, etc., these are personal information belonging to, or that can identify a user.|
|Categories of Processing||Why||The reason, or purpose for which you are processing the data - consider how that information is being used. A simple example would be a statement such as "We use email and names for personalized marketing." - in this case the category of processing would be "personalized marketing".|
|Systems||Where||The systems in which the data is being processed. Think of this as your internal technology systems, or third party vendors. To again take the personalized marketing example above, the system might be your CRM, such as Hubspot or Salesforce.|
|Data Retention Policy||How long you keep data||Privacy and governance best practices dictate that you should keep data for as little time as possible. That is to say, only store and process data for as long as it's truly necessary. For this reason, you should have a record of when and how you delete each cateogry of data that you process.|
|Location||Where||A slightly more precise version of where, this is about understanding geographically where that data resides. For example, perhaps you use AWS for cloud hosting your databases. The AWS region might be the USA, Europe, or elsewhere. That location should be recorded.|
|Data Processing Agreement||Legal Policies||Where the data is being processed by a third party on your behalf, e.g. a SaaS company or an external business, you should collect the contractual agreement from them on how they comply with privacy regulations and manage data on your customers behalf. This is often called a DPA or Data Processing Agreement.|
|Security Controls||Security Policies||For each of your systems where this differs, you should have a record of the security controls and policies enforced on that system so you can be assured that you are adequately protecting your users' data.|
An important note, it’s easy to fall into the trap of “mapping” your connected data systems. However a really effective view of your business should map any use of data, whether that’s online or offline systems.
A final point to consider is that your data map must be current and reflect your systems' actual data processes. So if you're an agile engineering team constantly shipping new features and changes to your product, you'll need to keep your data map up-to-date.
In preparing for the CPRA, consider that manual data mapping is a labor intensive process that will involve multiple members of your business. An accurate manually generated system and data inventory can take several months to create.