Data Mapping for GDPR, CCPA and Privacy Regulations

Cyber security and privacy experts from Kroll lead CCPA and GDPR data mapping exercises to identify and catalog crucial data categories, elements and processing activities, helping meet different regulatory requirements.
Contact Cyber Experts

The California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR) mandate for detailed data inventories are now reflected in many other privacy regulations worldwide and continue to pose a significant challenge for organizations of all sizes. Whether you’re looking for specific assistance with Article 30 compliance or need a robust solution to meet multi-jurisdictional requirements, Kroll experts deliver accurate and efficient data inventory solutions. 

Leveraging frontline expertise from thousands of cyber security investigations and hundreds of detailed cyber risk assessments every year, our security and privacy experts know the questions to ask and the stones to uncover to help your organization understand, describe and identify how protected data flows within your systems, to and from vendors and internationally. Our extensive data mapping solution provides deeper understanding of data ingestion, storage and security and helps better document the business reasons for its retention and use.

How We Approach Data Inventory Projects

Watch as Jonathan Fairtlough, a managing director in our Los Angeles office, gives a brief overview of our approach to data mapping.

Learn more about the fundamental steps to building a data inventory.

Key Data Mapping Answers We Collect

Most data mapping regulations specify the documentation and management around fundamental questions covering the entire data lifecycle , such as:

  • What data is collected where it is stored, for how long and who has access to it?
  • Is transferred outside of the organization or outside of the country (and where)?
  • What security controls exists around data collection, sharing and storage?
  • How is the data processed and what is the legal basis or business reason for processing that data?
  • Is the data considered sensitive?
  • How is the data transfer protected?

Our experts initially focus on understanding as much about your environment to prioritize the most sensitive systems before examining additional areas. We follow a five-step process that is customized to fit the regulatory requirements of your organization.

Identifying Protected Information 

Kroll will assist your organization in determining how to best categorize the protected information (as defined by your legal team) held by your organization. With the plethora of information that an organization may hold, it is important to understand the types of protected information you have, whether it’s considered sensitive, the business reasons for processing it and where it is stored and for how long. Kroll will work with your legal team to determine the appropriate categories of data that may include, but are not limited to: 

  • The nature and types of the protected information
  • Location (e.g. databases, applications)
  • Categories of sources
  • Internal access rights
  • Forms of collection
  • Data flows, including transfers to affiliates, service providers and internationally 
  • Questionnaires and Document Reviews

Effective data maps require input from almost all departments but especially IT, information security, legal, compliance, marketing and human resources. Kroll will deploy questionnaires to key stakeholders to elicit information on critical information assets, systems and security processes.

Additionally, Kroll will request documentation regarding policies and procedures governing the security and use of the information under the various data privacy regulations. Our practitioners will examine receipts, storage, handling and management of the protected data.

Deploy Data Mapping Software

Based on the questionnaire responses and the document review, Kroll’s experts work with your organization’s IT personnel to configure and deploy the data mapping software that will identify and document structured protected information.

Onsite Visits 

Kroll experts perform interviews with stakeholders to verify conclusions drawn from the questionnaire and the data mapping software findings. They will fill in gaps and perform a visual walk through of the protected information’s data lifecycle on your organization’s systems. 

Deliver Completed Data Mapping and Template 

Kroll experts will leverage questionnaires, existing documentation, data mapping software results and onsite information to build a full data map and inventory and establish a template upon which your privacy professionals can make ongoing adjustments. 

Beyond Compliance, Data Mapping is a Good Business Practice

While the initial mandate for a data mapping exercise may come from GDPR or other privacy regulations, such efforts often uncover practices organizations had forgotten about or didn’t even know existed. Our experts have helped a client identify terabytes of sensitive data, posing a tremendous legal, financial and reputational risk in the event of a data breach, simply because a retention policy had not been fully configured.

Data mapping provides great clarity that will ensure your risk management team can make informed decisions. Kroll experts will help manage your data inventory to optimize data security, better understand your data flows and achieve regulatory compliance. Take the extra steps today in mapping your data to protect your organization tomorrow. Talk to a Kroll expert. 


CMMC Preparedness Assessment

Kroll’s Cybersecurity Maturity Model Certification (CMMC) preparedness assessment leverages frontline expertise to examine organizations’ maturity in accordance with its desired CMMC level and deliver actionable steps to satisfy U.S. Department of Defense (DoD) requirements.

CCPA Compliance Assessment

Our data privacy and compliance experts translate the technical into practical and cut through less-than-specific legal requirements to navigate the complex compliance with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

HIPAA Security Risk Assessments

Kroll’s HIPAA security risk assessments are unique in how they help you meet HIPAA standards.


Cybersecurity Due Diligence for M&A

Pre and Post-transaction assessment can uncover costly risks.

Red Team Security Services

Red team security services from Kroll go beyond traditional penetration testing, leveraging our frontline threat intelligence and the adversarial mindset used by threat actors to push the limits of your information security controls.