Data Mapping: The Missing Link Between Policy and Reality
Advisors to business enterprises of all shapes and sizes are used to hearing the lament that organizational policies on matters of information governance are “more honored in the breach than the observance,” generally no more carefully examined and understood by employees than, for example, Internet surfers study website terms and conditions. This sentiment may be accompanied by an opinion that recommending certain documented policies may be necessary for “check-the-box” compliance reasons, but is not of the same “practical” value as recommending “concrete” solutions, like specific technology products. What accounts for this perceived disconnect between information governance policy and implemented reality and the corresponding de-valuing of policy documentation?
While there are doubtless other reasons and contributing factors, perhaps among the most important is the tendency to skip the exercise that ties policy to reality. This exercise, often referred to as “data mapping,” in theory should form the foundation of any effort to exert control over systems and data in practice, whether for reasons associated with legal compliance, cybersecurity, data privacy, records retention and disposition, electronic discovery or otherwise. Data mapping is essentially the process of identifying and documenting where data resides and how it flows through information systems, and understanding what features of those systems impact compliance capabilities (like protecting data, identifying particular subsets of data, disposing of certain data, etc.).
The notion that data mapping is a pre-requisite to developing policies about data that can be implemented in practice is surely a penetrating insight into the obvious for anyone who devotes a smidgen of thought to the matter. Moreover, a review of industry standards in fields like information security shows that it has always been articulated as a fundamental requirement, albeit often using different terms and jargon. So why is it so common to find that organizations have policies about systems and data, but have never undertaken anything like data mapping?
While every organization is different and faces different challenges in this area, many find the notion of data mapping overwhelming and assume that such an initiative would be cost prohibitive. Accordingly, even where personnel with responsibilities for information governance recognize the foundational role that data mapping should play, they avert their eyes (or bury their heads in the sand, or…insert your favorite metaphor for ignoring the obvious here). As the organization evolves and grows, and the criticality and complexity of the organizational I.T. environment increases along with it, the idea of data mapping grows even more intimidating, a height that could never be scaled.
Alas, in the realm of information governance, just like most other realms, ignoring problems does not make them go away. So, is there a way to slay the data mapping dragon without breaking the bank? The key to overcoming data mapping paralysis is to recognize that, regardless of the scope of the environment, the objective can be attacked in layers. Think of more traditional mapping, in the geographical sense. With a “bird’s-eye” view, the high-level features of the landscape can be mapped. Zooming in gradually, additional detail is revealed.
Similarly, the data mapping exercise begins with discussion about the categories of data the organizations handles and the kinds of systems that do the handling. Higher order frameworks for organizing the information may vary depending on the nature of the enterprise, but they can be broken down into manageable domains by starting at the top, breaking down by hardware and software, on-premise or in the cloud, sorted by function or business unit, etc. As focus is sharpened, most of the details that are relevant from a policy and legal compliance perspective become apparent rapidly. The details that elude rapid grasp are catalogued and become the subject of targeted, component efforts. By taking the layered approach, data mapping efforts can be adapted to budgetary borders.
With data mapping, perfectionism is definitely the enemy of the good (and the necessary). With an I.T. environment that is like a complicated living organism, changing and evolving constantly, there is no point at which pencils are put down and the work is finished. But this is no different than other business processes which are ongoing because change is inherent in organizational existence. At every stage of the effort, it is catalyzing to invoke the undeniable link between data mapping and effective policy that meets objectives, including legal and other risk management. Keeping this and the ongoing nature of the data mapping imperative in mind should make it easier to overcome the barrier to just getting started with what must be done.
Data mapping and protection is a critical part of doing business. Programs like the LL.M in Intellectual Property and MSL in Data and Privacy Law at Cardozo Law prepare legal professionals with the skills to support any industry, no matter their stage of growth.
Adam Cohen, Counsel in BakerHostetler’s New York office, has been practicing at the intersection of law and technology for over 25 years, in a career that has spanned law practice, as outside and in-house counsel, and technology consulting. He holds professional certifications in cybersecurity as a CISSP (Certified Information Systems Security Professional), CCSP (Certified Cloud Security Professional) and CEH (Certified Ethical Hacker) and is the co-author of the annually updated, two volume treatise Electronic Discovery: Law and Practice (Wolters Kluwer), which has been cited in several landmark federal court opinions, e.g., Zubulake v. UBS Warburg and Lorraine v. Markel. While helping the firm’s clients manage the increasingly complex legal risk environment is his first priority, he continues his dedication to thought leadership and education of the next generation of lawyers, teaching law school courses and updating his treatise annually.
This content is advertising.