X Marks the Spot: Lessons Learned From the Data Map Process

Creating the right data map with the right information takes time, patience, perseverance and pull. A data map that is hastily put together and is missing information will only provide cursory support to counsel, and instead may end up providing fodder to opposing counsel. Some have even said that is better to not have a data map, claim ignorance and hope for leniency than to state that you have a data map and produce an incomplete, half-baked and inadequate one and anger the judge.

Many organizations have hundreds of business applications, systems, utilities, network file shares and collaboration sites (such as SharePoint, Wikis etc.), not to mention the potential goldmine of data stored in backup tapes, archival systems, PST files and offsite storage. Daunting as it may seem, creating a data map is actually twice as difficult as you thought. Really, simply e-mailing a “questionnaire” to the IT or operational folks asking for a list of applications, systems and platforms within the organization may not produce optimal results. Instead, a holistic approach to the creation of the data map must be undertaken.

It's All About the (Map) Coordinates

At its core, a data map is an inventory of the sources of data within an organization, the names and types of applications or platforms that store this data, the processes that manipulate the data, how the data flows within various business processes and how this data is stored, retrieved and accessed.

Start with existing data infrastructure, record and business process inventories. Typically, the IT infrastructure team will have the list(s) of system infrastructures, their locations, business/IT owners and platform names. The records management team will have an inventory of the various types of records generated through the course of business along with the requisite record metadata, such as record description, owner, location, formats and retention period. The operations team will have a list of the various business processes, process descriptions, process inputs and outputs, owners, process dependencies and the applications and systems that are used to execute the process.

Work with HR to obtain organizational charts that show the various hierarchies, roles and responsibilities within the organization. In addition, the information security team can provide a list of security and access groups by the various applications. Obtaining accurate and complete inventories is always a challenge. While it behooves organizations to spend upfront time and resources in ensuring that these lists are as accurate as possible, the data map team must make adequate contingency plans to account for the errors and omissions in the lists provided to them.

Once existing lists and inventories are obtained, the next step is to start mapping the data types to corresponding applications, platforms, owners and business processes. The data map team also needs to conduct walkthrough sessions with the various stakeholders to discuss how the data moves from one application/business process to another. A data map needs to incorporate aspects of all data flows within an organization. There are several ways to perform the mapping ' starting with the infrastructure/application list and then tying it to the business process, records, HR and access controls lists. Alternatively, one can start with the business process list and then map out the corresponding data outputs, records and so on. This is where the bulk of the data map complexity occurs. One option for reducing the complexity of the mapping exercise is to prioritize higher data risk areas within the organization and focus on these first and then complete the other areas.

Are We There Yet?