What Attributes to Capture in GDPR / CCPA Data Mapping? Ten Essential Attributes

Data protection requirements vary based on the nature of the data hence organizations must have a comprehensive and accurate data map of what data they collect, store, and process. Here is a quick list of attributes that companies should collect as part of their data discovery process. A data mapping process is typically long and resource-intensive hence having a good list of attributes reduces rework. The goal of a data mapping process is to help companies discover personal data and map various data processing activities. 

Following attributes capture what data they collect, use, share inside their organization and transfer outside the organization.

  1. Data Inventory – What are the data sources and data assets that we collect? What sensitive /personal data does the data sources hold?
  2. Storage – Where is the data stored? Is it secure and encrypted?
  3. Security – Is it stored secure and encrypted?
  4. Data Sources/Data lineage –  What data sources of the data assets? If it is an application, what application generates the data? What data assets were combined or transformed to derive a data asset?
  5. Purpose – What business purposes did we collect the data for? Does it have proper consent?
  6. Data Subject Attributes – Additional metadata needed for data protection 
    • What are the categories of the data subject (customer, employee, partner, contractor) in the data asset?
    • What is the geographical location of data subjects in the data?
    • Does the data contain a minor’s data?
  7. Lifespan – When was it created? How long will data be stored? How will it be disposed of?
  8. Processing  – Who has access to the data? Who is using the data? Where is the data processed?
  9. Data Transfer– Where does the data flow? Who do we share or transfer data outside the organization?
  10. Data Owner/Steward  – Who or what team is responsible for the data?