Inventory Mapping

00:03

Hello and welcome to module two of 10 than this privacy framework core identify

00:11

if you remember from the beginning. I said that as we go through the course, I just want to always provide a status of where we are in the course outline. So we've gone through the introduction and we just completed module one overview of this privacy framework

00:24

and we're now entering module to this privacy framework. Core identified.

00:29

So welcome to less than 2.1, identify inventory and mapping.

00:37

So in this video we will cover the identify function, the identified category, # one inventory and mapping.

00:44

And then the eight subcategories of inventory and mapping.

00:49

So before we really get into um

00:52

this particular video, I really wanted to cover um sort of what we will go through um as we go through modules two through six, I'm sure some of you have seen webinars online

01:06

uh to cover the Miss privacy framework, but a lot of those webinars don't give you a deeper dive of the core and sort of walk through with the function the category and subcategories are discussing. And really in this course, besides just kind of giving you a high level overview of this privacy framework. I did want to

01:26

do a deeper dive and really

01:27

try to provide some guidance on depending of if you decide to um choose certain functions categories and subcategories really had to go about doing that. Um should you choose certain ones so that you know, sort of what your what you have in store and what you should be doing, should you choose to adopt

01:47

certain functions categories or subcategories?

01:49

So that's really what modules two through six are about, is really kind of giving that deeper dive on those modules um

01:57

with those functions and categories and subcategories for the core so that you just have a better, a better understanding and really had to tackle, going about implementing a lot of these controls.

02:09

So as I mentioned for this video, the first one that we're really going to cover, um module tool module two is covering uh the identify function. And so what that's focusing on really is developing the organizational understanding to manage privacy risk for individuals arising from data processing.

02:29

And so uh this first category that we're going to focus on um the other lessons will go into subsequent categories, but this one is focusing on inventory and mapping. And so that's where you look at data processing by systems, products or services and

02:46

seeing how it's understood and informs the management of privacy risk.

02:51

So data, what data processing means really is that you're looking at, how does your company or a partner company essentially process data. That could be anything from storing the data to sharing the data.

03:06

Um

03:07

There's multiple ways that a company can process data and I'll use an example is um your payroll provider processes data personal data from an individual in order to

03:20

pay payroll. So you probably share um a

03:24

social security number, a name address, bank account information for that individual to ensure they get paid.

03:31

So that's an application that is processing data. Um So within this category, that's what you were going to be looking at is really trying to inventory all the systems within your enterprise that are possibly processing data,

03:46

um creating an inventory for those and then really creating sort of a data map to show the data flow of how that data is flowing through your organization. Because many times different applications may interface with other applications. So although you may, for instance, input personal data into oracle

04:04

um within a system, Oracle's probably feeding other applications,

04:09

so really being able to create a data map becomes vitally important.

04:13

So as we look at their eight subcategories for this particular category and it can seem daunting. But the next screen, I'm going to really show you how actually um

04:25

P one through really, P six all really go to sort of building out whether you do an Excel spreadsheet or even um in an application that you may be helping maybe you're utilizing to help you manage privacy risk of how those are really just laid out

04:42

um sort of in a grid style format to collect all the data that you need for data inventory. And then really, um P seven and P eight are really going into really more so the uh data mapping process.

04:58

So here's an example of what I was talking about regarding sort of building that data inventory and this is really a sample of how you could start. And this is more so using an Excel spreadsheet format. Um Sometimes when companies are starting out they don't necessarily have the budget yet to pay for something like one trust

05:17

or big data or other possible

05:20

um tools that may be available out there on the market. So one way to start sometimes is creating an Excel spreadsheet that is essentially listing all of your applications. As you can see here. I've even shown you how it correlates with the subcategories um from this particular category of inventory and mapping.

05:41

So i. d. i. m. p. one.

05:43

Um and

05:45

as you'll go through this you'll see that

05:47

the way to read this really is I. D. Stands for the functions. So we know that we're in the identify function

05:55

and then the

05:58

letters after the period I am are really for the category. So it's the inventory and mapping category and then P one is just letting you know that this is the first subcategory within um this category. So I d I M P one

06:14

anytime you see that now, you should be able to know what function you're in, what category we're looking at

06:18

and then just knowing what number subcategory of the subcategory that you're looking at.

06:24

So as you can see at the top

06:25

as I've put what each one represents, I also just put the correlating subcategories. So you knew that you were essentially tackling um

06:34

IDIM. P one through P seven in this document.

06:40

So as you'll see here, I'm using ADP which is the example that I used earlier as the system or application um

06:47

that's listed here and then you always want to put who your system owner is. So in the event there are questions um Normally this person I'm sure probably conducts the testing for the application and they're probably the one that helps troubleshoot when there are issues.

07:02

So then in categories this is where you're putting the particular type of um individuals who you have personal data for. So in this instance you probably have um information for customers for employees, prospective employees, vendors or consumers. And you could put that in a drop down format. I

07:25

did it this way so that you could see the different possibilities that you could utilize

07:30

and when we get into data actions, once again when I mentioned data processing that there are various ways that um an application can process data. Um The way that data's process um within this privacy framework, those are referred to as data actions. So you could be collecting data, you can retain data, you can share data

07:49

and I mentioned before that storing data is also a day to action.

07:54

Um So I just listed a few here. I'm sure there are others. If you really looked at a definition um for data action that could go here I'm just trying to get you thinking in the right direction of what it really means to process data and what a data action consists of.

08:09

So then I. D. I. M. P. Five gets into

08:13

the purpose. So why are you processing data? And that's what we mentioned before with ADP your processing processing it for employee payroll. So no the purpose doesn't have to be elaborate. Just have to know why the personal data is being processed. So in the sixth column we get into data elements. So a data element

08:33

is what is being collected.

08:35

So a name of social social Security number, bank account information. Those are the data elements. And so you're gonna see these different um

08:45

uh definitions um and descriptors as you go throughout this privacy framework. So looking at this first category and identify function is really going to help you learn the terminology that's being used throughout the privacy. Um this framework.

09:01

Uh I'm sorry, the next privacy framework. So in that final column, I D I D I M P seven, it's the data processing environment. So this is really where it's being processed is where is the region. So if you have a server that's on prim um

09:18

I'm in massachusetts. So I'll just say that it's in my location, the city where I'm at marlborough massachusetts, that it's located there. And the reason you want to know where it is as well as um the region is because it gets helpful in if you have a data subject access requests,

09:37

let's say that you have to adhere to the G. D. P. R.

09:41

You want to know where that data is stored. This also will get into the data flow maps that we're going to discuss in a few slides

09:50

because if you have a desire requests come in you want to know where all that information is in the event that you have to delete all the information. So that would mean deleting it from all the applications that have it.

10:03

So knowing um the geographic location also lets you know what regulations you may have to adhere to depending on where the data stored and then whether if it's a cloud or a third party you may have to have that third party partner help you um with a D. Start request. So it's important to know all of the

10:22

uh the

10:24

elements that are being asked for within the spreadsheet that I have here before you.

10:33

So on the side we have a sample of a data flow map

10:37

um I. D. I. M. P. Eight which was last subcategory for this category. Um You've completed your inventory so now if you want to be able to show how that data is flowing throughout all the systems and applications within your enterprise. So this is just one example of a way to do a data flow map.

10:56

You can see that you've used different symbols to show

11:00

um different types of systems or applications or even departments and you always want to include a legendary key so that if an auditor or a third party is looking at your data flow, they know how to read it.

11:11

So as you can see here um in the beginning part of this, in the swim lane, you see that it may start out with a customer

11:20

and then it goes to a certain website located in the UK

11:26

and then you can see it may go to multiple sources from that website. So it'll go to a database, it will flow through mail, chimp or um to other websites trend Seymour zero before it's getting to customer service to marketing or accounts. So being able to see where all this data lives because becomes vitally important.

11:48

Yeah,

11:48

on the next slide, this is also a sample of a data flow map you can see. It's a bit different. Um It doesn't use the different symbols that were utilized in the previous one, but it does use a color coding of sorts for you to see um really the type of data that's flowing through these systems,

12:07

So on the previous one, it didn't get

12:09

really to this in depth of A level. It really just showed where it was flowing through but it just didn't necessarily state the type of data that was moving.

12:18

So in this we can see um the black dot is combined data, so it's personal data, transactions, financial and web sessions. The pink dot r for cookies or behavioral tracking the greens for financial data, the blue dot is just transaction data. So purchase records, confirmation numbers, invoice numbers

12:37

and finally that peach dot is customer data.

12:41

So you can see here from the various systems from a website or the retail point of sale, how the data is flowing through the company and even what types of data are flowing through their systems. So there's no right or wrong way to do this. But I just wanted to show you different examples of data flow maps um and really just give you some example

13:01

examples of how you can implement this

13:03

within your enterprise.

13:07

So something I did want to share and um I will be referencing this quite a bit as we go through the various modules for this course. Um Is that in implementing this privacy framework? Um this did provide certain tools to help with learning how to implement a lot of these controls.

13:28

Um and so you can go to this privacy framework um to get these resources. However in the resource section for this course, I have provided the links myself so that you don't have to hunt and find them on this privacy framework website.

13:43

So for each um

13:45

each uh subcategory,

13:48

um they do provide what the resources are for that for each um subcategories. So as you can see here, um they provide this sp 837 revision to and point to a specific task P 10. Um But two areas that I do want to highlight here

14:05

um where I have actually provided the worksheet

14:09

and the dashboard or then this plan works you too and uh

14:13

personally identifiable information inventory, dashboard.

14:18

Um Their resources here that will help you get started with the inventory as well as creating a data flow map. So they're definitely resources out there um

14:28

that I will share from the MS privacy framework as well as others that I may have found.

14:33

Um And like I said I will reference those and tell you that they are included in the resources section for this course but I did want to point this out in the event. You do want to go to the next privacy framework

14:43

um

14:45

page for yourself to see this.

14:48

So in summary for this video, we covered the identify function description, determine what it means to conduct the data inventory and mapping, reviewed samples of data inventory and mapping, and looked at the overview of the MS guidance and tools for each subcategory.