How to Make a Data Map: Risk Management, Compliance and Governance

In This Guide:

Why Data Management Matters

Data is often called “the new oil.” It’s valuable, powers our digital revolution, and depends on refinement. Additionally, like fossil fuel, data requires care in collection, storage, transportation, and utilization because every step presents a risk of breach.

That’s why effective data management is so crucial.

  • What data is your company collecting?
  • Where is it being stored?
  • Who can access it?
  • And what’s the plan for it all?

Shockingly, few companies spend appropriate amounts of time refining their data management strategies. But in a world driven by data, this should be a top priority.

In this article, I will walk you through how to build a Data Map from start to finish.

📄

Get Your Free Data Map Template

Streamline your data management with our easy-to-use template designed for IT and compliance teams. Start mapping your data flows today to uncover risks, save costs, and stay compliant! Access the Template

About the Author

My name is Liz Benegas; I serve as a General Counsel to companies at various stages of growth—from early stage to post-acquisition and IPO readiness. Part of my daily work is to help company leadership tackle compliance challenges. I identify potential points of risk and guide companies through proven steps to prevent that risk.  

One of my most powerful tools is a data map, and in this guide, I will walk you through exactly how you can build one for yourself.

What is a data map?

Data mapping is the process of creating data element mappings between two distinct data models. It ensures data consistency and integrity across different systems, facilitating accurate data transfer, integration, and analysis. The data map is the end result of that process. It can take many forms (for example, I use a simple Google Sheet). 

Why build a data map?

With the rise of SaaS apps and shadow IT, the likelihood of data breaches is on the rise, and increasing regulatory scrutiny means those breaches become more impactful both monetarily and reputationally. 

In this environment, control over your data is critical. This is one reason a data map is an important piece of an effective data management program.  A data map shows what data your organization has, where that data flows, and who handles it, so you can spot vulnerabilities to help your company ensure compliance and mitigate risks. It also offers quick wins like spotlighting redundant apps or users and helping your company establish third-party risk processes. In the long term, it helps manage data, streamline processes, and boost IT leadership—which is essential for staying secure and compliant.

How to build a data map

Step 1: Establish a Source of Truth (SSOT)

A successful data map starts with a reliable, centralized source of truth. Choose a system for capturing your data—whether it’s a spreadsheet, diagram, or specialized tool—and stick to it. You’ll need to list all categories of data your organization processes, such as customer, employee, or financial data. The best place to start is with your apps. Remember, shadow IT can be a blind spot, so use tools like Torii to uncover unapproved apps. Keep in mind that your data map will only be as effective as the accuracy of the information it contains, so start with a clear structure.

🧠

Tactical Actions:

Choose a Format: Decide on a method for capturing your data. Options include a spreadsheet, flowchart, or diagraming tool.
Identify Data Types: List all categories of data your organization processes. This can include customer data, employee data, health records, financial information, etc.
Catalog Applications: Begin with known applications that process data. This includes SaaS apps, internal tools, and any system handling sensitive information.
Shadow IT Detection: Utilize tools like Torii to identify any unapproved or unknown applications in use by employees (shadow IT). This step is crucial, as some of your riskiest points of data management will involve apps that employees use without approval.

Step 2: Conduct In-Depth Stakeholder Interviews

Your data map is only as strong as the information you gather from the people who work with the data every day. Organize interviews with department heads to understand how they use applications, what kind of data they process, and how data is shared. Pay close attention to unused and redundant apps during these interviews—they represent a cost-saving opportunity. Keep in mind that this step can be tedious but is crucial for building a comprehensive map. The more thorough you are here, the better your data map will reflect your organization’s true data landscape.

🗣️

Tactical Actions:

Engage Department Heads: Organize interviews with department heads to uncover applications they use, and how and why they use them.
Document Usage: Ask detailed questions to identify how each department uses its applications and for what purposes (e.g., processing customer data, internal communications).
Identify Data Storage Locations and Transfers: Clarify where data is stored and also where it is transferred and shared across applications or with external parties. Look for Unused/Redundant Apps: Identify applications that are no longer in use or duplicated across departments for potential cost savings.

Step 3: Identify Third Parties and Subprocessors

Data often leaves your organization’s control, so it’s important to know and track which vendors are handling it. Make a list of all third-party vendors your data interacts with, paying special attention to those dealing with sensitive data or personal information. This is critical for compliance with regulations like GDPR, which has strict requirements regarding subprocessors (third parties that handle personal data on behalf of your customers or clients). Don’t just stop at identifying third parties—make sure to assess their security controls and ensure they meet required standards. Keep in mind that each vendor or subprocessor may require different regulatory due diligence.

🕵️‍♂️

Tactical Actions:

Document Vendors: Catalog all vendors and subprocessors your organization shares data with. Include those that process, store, or have access to sensitive information.
Check Compliance Requirements: For each subprocessor, identify specific regulatory requirements (GDPR, CCPA, HIPAA, etc.). Ensure that transfer mechanisms and due diligence processes are in place.
Risk Categorization: Categorize vendors based on risk levels—focus on high-risk vendors that process sensitive data.

Step 4: Compile and Analyze Data

Once you have gathered data from various sources, it’s time to pull it all together and assess it for potential risks and opportunities. Aggregate all the information you’ve collected from stakeholder interviews, SOC 2 reports, and vendor lists into one comprehensive view. Look for patterns or issues such as redundant tools, data silos, or potential security vulnerabilities. Identifying these pain points is where the real value of the data map comes in—don’t rush this step. Keep in mind that this is your opportunity to eliminate inefficiencies and shore up your security and privacy processes.

🔎

Tactical Actions:

Aggregate Data Sources: Combine data from interviews, vendor lists, SOC 2 reports, and internal documents into a single, comprehensive source.
Spot Risks: Look for potential risks in the data flow, such as security vulnerabilities, compliance gaps, or poor data transfer practices or documentation.
Flag Redundant and Unused Applications: Identify tools and applications that are redundant or no longer necessary, leading to potential cost savings.

Step 5: Conduct a Risk Assessment and Prioritize

Risk is everywhere in data management, so prioritizing the biggest threats is key. Assess the risks associated with your data, focusing on the highest priorities like sensitive customer information. Once the risks are categorized, develop a plan for addressing them. Remember that not all data is created equal—some types of data (like health or financial information) may require stronger controls than others. Keep in mind that prioritization helps your organization focus its efforts where they will have the most impact.

⚠️

Tactical Actions:

Perform Risk Assessment: Identify and assess data management risks, focusing on sensitive data and high-risk vendors.
Set Priorities: Rank risks based on potential impact and likelihood (e.g., customer data may be prioritized higher than internal communications data).
Address High-Priority Data: Develop action plans for addressing high-priority risks—this could include refining security practices, enhancing compliance processes, or adjusting data flows.

Step 6: Craft and Implement Policies

With risks identified, it’s time to create policies to protect your data. Policies should address everything from data protection and retention to third-party risk management and deletion practices. Ensure that these policies are tailored to the specific needs of your organization and the data types you handle. Don’t forget that policies should be living documents—revisit them regularly to keep them aligned with the evolving data landscape and changes in your business practices. Keep in mind that a solid set of policies will act as a roadmap for your data management strategy.

✍️

Tactical Actions:

Develop a Data Protection Policy: Outline how sensitive data should be protected, including encryption and access controls.
Create a Retention and Deletion Policy: Define how long different types of data should be retained and how it should be securely deleted when no longer needed.
Draft Third-Party Risk Management Policy: Create guidelines for managing vendor relationships, including due diligence and contract requirements for data protection.
Build a Data Lifecycle Management Policy: Establish a policy governing how data is collected, used, stored, and eventually disposed of across the organization.

Step 7: Maintain and Update the Data Map

A data map isn’t a “set it and forget it” document—it needs to be maintained and updated to remain accurate. Schedule regular reviews, ideally quarterly, to ensure all new applications, tools, and data sources are captured. Keep engaging with departments to understand any changes in how they use applications or handle data. Remember, accuracy over time is what will make your data map a valuable asset, so keep it dynamic and reflective of your organization’s real-time data practices.

Tactical Actions:

Set Review Cadence: Schedule regular (e.g., quarterly) reviews of the data map to ensure all information is up to date.
Conduct Recurring Stakeholder Meetings: Revisit departments to capture any changes in data usage or new applications.
Cross-Check with Compliance and Security Teams: Ensure that all updates comply with the latest regulations and security requirements.

Step 8: Present and Socialize the Data Map

Once your data map is created, you’ll need to communicate its value across the organization. Build a strong business case highlighting cost savings, compliance improvements, and risk mitigation benefits. Share quick wins, such as reduced application costs or immediate security improvements, to demonstrate the value of the map early on. Don’t forget to engage influencers in different departments—cross-departmental support will make or break your project’s success. Keep in mind that this step is crucial for getting buy-in and ensuring your data map becomes a tool that others use, not just a siloed project.

🤝

Tactical Actions:

Create a Business Case: Highlight cost savings, security improvements, and compliance benefits achieved by data mapping.
Showcase Quick Wins: Identify and share immediate results, such as reduced application costs or improved compliance.
Engage Key Influencers: Get cross-departmental champions to promote the data map and drive engagement.
Assign Clear Roles: Ensure accountability by defining roles for maintaining and updating the data map within various departments.

Step 9: Establish Long-Term Management and Compliance

Data maps help your organization stay compliant and secure in the long run. Integrate your data map into your broader security frameworks, ensuring it’s a central part of your risk management strategy. Schedule ongoing compliance checks using the data map as your foundation for audits and assessments. Collaboration between IT, security, and compliance teams will keep your data protected and aligned with regulations. Keep in mind that the strength of your data map will show its true value when it’s used to proactively prevent risks and meet regulatory demands.

Tactical Actions:

Implement Ongoing Compliance Monitoring: Use the data map as a foundation for regulatory compliance checks, such as GDPR, CCPA, and HIPAA.
Foster Cross-Departmental Collaboration: Encourage regular communication between IT, security, finance, and legal to ensure that data practices align with business goals and regulatory requirements.
Integrate into Security Frameworks and Company Training Programs: Incorporate the data map into your broader security and risk management frameworks and use it to help present real-life examples in your training programs for proactive defense against breaches.

Conclusion

Creating a data map might seem like a big undertaking, but it’s one of the most valuable steps you can take to protect your business and streamline your operations. Think of it as building a blueprint for your data—one that helps you see exactly where everything is, who’s handling it, and where potential risks might be hiding. It’s not just about staying compliant with regulations; it’s about finding opportunities to cut costs, improve security, and make smarter decisions. 

Start small and keep it manageable—your data map doesn’t need to be perfect right away. As long as it’s a living document that you update regularly, it will become a powerful tool that supports your business goals and keeps you ahead of the curve. 

Get your demo today

Now you can control, manage, and save money on the SaaS used by your company. Let us show you what Torii can do for you.

New Torii Pricing 🚀

Find the right plan at the right price.
Get a 14 day free trial, no credit card needed.