With Data Mapping, we gain a deep understanding of the 5 stages that every piece of data goes through within any department of a company, regardless of its size or industry. Again, my dear friend, you don't need to be a PhD in PMBOK or Project Management to understand these crucial stages! Data Mapping and Data Inventory have become one of the most essential tools for Data Protection Officers (DPOs)!

The market today has brought a lot of technology and quality to these processes! We have no complaints about that. But my goal here today is to teach you to see things in a simpler and more objective way, as they truly are – a straightforward arrangement of facts, and that will already help you.

So, let's get started!

A basic concept that will guide your understanding from now on:

Therefore, each process can be organized in an order, or not, thus forming the routines of the departments.

Thus, for each process in your company, the following 5 points can be fulfilled in full or in part.

They are:

1. Motivation - Why do we need this data?

2. 2.1 – Consent.

3. Processing / Treatment

   1 – Internal sharing among departments and systems.

   3.2 – Storage for internal use and consultation.

   3.3 – Backup.

4. Disposal

5. End of the process?

And what do I do with these 5 points above?

Yes, it's hard, I know!

But, it will be extremely valuable in case of a notification from the National Data Protection Authority (ANPD) or even before that, in case a customer or visitor to your website asks for access to the data you may have about them.

Of course, if you're a small business or have very few employees and processes, all of this can be summed up in 3 or 4 systems (email, marketing automation, some Google Drive, and accounting) because everything is stored in these places. Now, imagine a company with 500 employees in 10 cities.

Remember, according to LGPD, any data subject can knock on your door asking if you have any of their data, and you must respond promptly.

So, without the "treasure map," how will you know that name@personalemail.com subscribed to the Newsletter, made a purchase 3 months ago, and was your employee 5 years ago?

In the above example, you would have to report to that person that you have data such as:

- Name, Email, CPF, Phone, Address, Work Permit, Parentage (HR data), and sharing with Google and Facebook.

For the following reasons:
1- Hiring in the past, so labor legislation obliges you to keep this data in your accounting for X years. In other words, even if he requests deletion, you can deny it, due to another legislation.

2 - Purchase of products X, Y, Z 3 months ago.
This also generated registration in the newsletter (with the famous "I accept to receive promotions"). From the newsletter, you have him on the mailing list for new products and updates from your e-commerce, and all remarketing tools are connected, pursuing him daily across the internet, every time he visits to see your products.

Therefore, he can freely request the deletion of all his data for marketing purposes. This will lead to a series of actions. These include:

- Deleting the email and other data in the CRM and email delivery tool.
- Distributing the Opt-out request to any systems you are integrated with that use this data. (logistics and ERP systems, for example)
- Removing him from the Google and Facebook remarketing segment.
- Reporting in an official company document that the above steps were promptly completed.

(For AdOpt clients, when integrated with Tag Manager, the cookie part becomes much easier! Because when a visitor does not authorize some of them, AdOpt automatically blocks this firing!

Here's a tutorial for you!

Additionally, a visitor's request on the opt-out page sends an email to you immediately, with this request linking the requester's email to the Cookie ID generated in the Opt-In.

So, you can start this search with greater direction if the requester has given consent to any tools and when.

Do you understand now the importance of mapping your company's processes?

Only with all this in hand will you have peace of mind and, more importantly, ease of accessing all this data promptly. For some companies, around 48 to 72 hours (a reasonable response time...) is more than enough, for others, it's practically impossible.

Whether you or your hired DPO, we can't stop the company for every request from a visitor. With Data Mapping in hand, this search is much faster, targeted, and, I dare say, automated, if you use software just for that.

Here's a more detailed breakdown of each of the points in Data Mapping:

1. Motivation - Why do we need this data? If LGPD hasn't already prompted you and your company to reflect on the real need for personal data in your business, stop and do it as soon as possible.

   Yes! Often, especially in Marketing and Sales, there's a compulsion for qualification and identification information about prospects and leads for each stage of the funnel. It's great to pick up the phone and close the final details of a sale or surprise an undecided customer and convince them of the value of your business.

   But the point I emphasize is: Reconsider the real needs of accessing, processing, and storing this data. You don't necessarily need to have an Excel sheet with thousands of lines of your inactive customers from 5 years ago, hoping to rekindle this dead list one day. In light of LGPD, your risk has already been measured; is it worth it?

   In this article, I present 10 marketing processes that you should rethink in light of LGPD!

2. Collection.
   What are the ways in which each process collects/receives your data, along with your consent? Do all data enter the company through a single entry point, or more than one?

   List them all and review whether each entry point displays the necessary policy and process communications, and whether consents from each data subject are also collected alongside the data. Even if in an analog/offline manner, consent is essential.
   1 – Consent.
   Yes, consent is essential, but it's not the only instrument that allows you to access or process personal data.

   In this article, we list all the legal bases that support the use of personal data according to LGPD.

3. Processing / Treatment
   1 – Internal sharing among departments and systems.

   • Are third-party software used for data processing?

   • How do data flow between them?

   • Is the software aligned with your process and privacy policy?

   • If a data subject requests the deletion of their personal data from your company, how do you notify this external or internal supplier to process the deletion?

   • Is there any documentation or search tool to assist the DPO in case of scanning, making it easy to locate data of a data subject in the department?

   3.2 – Storage for internal use and consultation.

   • During the processes where data is stored?

   • For how long?

   • Files, physical hard drives, or in the cloud?

   • Is this cloud in the national or international territory?

   • Who will be responsible for deleting or querying the database in case of a request?

   • Is there any documentation or search tool to assist the DPO in case of scanning, making it easy to locate data of a data subject in the department?

   3.3 – Backup.

   • What is the frequency and rules for backup?

   • Files, physical hard drives, or in the cloud?

   • Is this cloud in the national or international territory?

   • Who will be responsible for deleting or querying the database in case of a request?

   • Is there any documentation or search tool to assist the DPO in case of scanning, making it easy to locate data of a data subject in the department?

4. Disposal
   Although greatly facilitated for digital files, this stage of the process is quite serious. Many files remain in the "trash" and are not properly deleted.
   For physical files, this problem is even greater when disposal is done poorly or neglected.
   Understand this process and, especially if there are third parties involved in the stage, include them in your monitoring of third parties potentially involved.

5. End of the process?
   Is the end of the process indeed the end of the data's journey in the company, or is it just the beginning of another?

Certainly, at first glance, all these questions and concerns may seem excessive. But believe me, these are just some of the questions you would/have to answer if you hire a consulting and compliance service.

Or, in a scenario not as informal as this text, a visit from the ANPD.

I hope I have helped you gain a better understanding of how these stages are essential in a DPO's routine.
With Data Mapping, we certainly have the foundation for creating a more robust privacy policy.

Did you miss any items or descriptions?
Send them our way; we are open to improvements, always! - You can send them to hey@goadopt.io

A recommended further reading to delve deeper into the subject is:

The differences between Data Controller and Data Processor.