The California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR) mandate for detailed data inventories are now reflected in many other privacy regulations worldwide and continue to pose a significant challenge for organizations of all sizes. Whether you’re looking for specific assistance with Article 30 compliance or need a robust solution to meet multi-jurisdictional requirements, Kroll experts deliver accurate and efficient data inventory solutions.
Leveraging frontline expertise from thousands of cyber security investigations and hundreds of detailed cyber risk assessments every year, our security and privacy experts know the questions to ask and the stones to uncover to help your organization understand, describe and identify how protected data flows within your systems, to and from vendors and internationally. Our extensive data mapping solution provides deeper understanding of data ingestion, storage and security and helps better document the business reasons for its retention and use.
Watch as Jonathan Fairtlough, a managing director in our Los Angeles office, gives a brief overview of our approach to data mapping.
Learn more about the fundamental steps to building a data inventory.
Most data mapping regulations specify the documentation and management around fundamental questions covering the entire data lifecycle , such as:
Our experts initially focus on understanding as much about your environment to prioritize the most sensitive systems before examining additional areas. We follow a five-step process that is customized to fit the regulatory requirements of your organization.
Kroll will assist your organization in determining how to best categorize the protected information (as defined by your legal team) held by your organization. With the plethora of information that an organization may hold, it is important to understand the types of protected information you have, whether it’s considered sensitive, the business reasons for processing it and where it is stored and for how long. Kroll will work with your legal team to determine the appropriate categories of data that may include, but are not limited to:
Effective data maps require input from almost all departments but especially IT, information security, legal, compliance, marketing and human resources. Kroll will deploy questionnaires to key stakeholders to elicit information on critical information assets, systems and security processes.
Additionally, Kroll will request documentation regarding policies and procedures governing the security and use of the information under the various data privacy regulations. Our practitioners will examine receipts, storage, handling and management of the protected data.
Based on the questionnaire responses and the document review, Kroll’s experts work with your organization’s IT personnel to configure and deploy the data mapping software that will identify and document structured protected information.
Kroll experts perform interviews with stakeholders to verify conclusions drawn from the questionnaire and the data mapping software findings. They will fill in gaps and perform a visual walk through of the protected information’s data lifecycle on your organization’s systems.
Kroll experts will leverage questionnaires, existing documentation, data mapping software results and onsite information to build a full data map and inventory and establish a template upon which your privacy professionals can make ongoing adjustments.
While the initial mandate for a data mapping exercise may come from GDPR or other privacy regulations, such efforts often uncover practices organizations had forgotten about or didn’t even know existed. Our experts have helped a client identify terabytes of sensitive data, posing a tremendous legal, financial and reputational risk in the event of a data breach, simply because a retention policy had not been fully configured.
Data mapping provides great clarity that will ensure your risk management team can make informed decisions. Kroll experts will help manage your data inventory to optimize data security, better understand your data flows and achieve regulatory compliance. Take the extra steps today in mapping your data to protect your organization tomorrow. Talk to a Kroll expert.
Kroll’s Cybersecurity Maturity Model Certification (CMMC) preparedness assessment leverages frontline expertise to examine organizations’ maturity in accordance with its desired CMMC level and deliver actionable steps to satisfy U.S. Department of Defense (DoD) requirements.
Our data privacy and compliance experts translate the technical into practical and cut through less-than-specific legal requirements to navigate the complex compliance with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).
Kroll’s HIPAA security risk assessments are unique in how they help you meet HIPAA standards.
Pre and Post-transaction assessment can uncover costly risks.
Red team security services from Kroll go beyond traditional penetration testing, leveraging our frontline threat intelligence and the adversarial mindset used by threat actors to push the limits of your information security controls.
by Ryan Spelman
by Jason N. Smolanoff
by Alan Brill, Aravind Swaminathan