Data Flow Mapping and Data Privacy Compliance

Data Flow Mapping and Data Privacy Compliance

Regardless of industry, if a company has an online presence, it’ll likely have a substantial amount of personal data from customers.

Personal data is anything that can identify an individual user, for example, their name, address, phone number, date of birth, and payment details. It can also be information about their purchase history or browsing behavior.

Data can be collected with customers’ knowledge through newsletter sign-ups, online checkout, and service agreements. However, as technology becomes more sophisticated, companies are also using tracking cookies and biometrics to get insights about users. Whatever way an organization processes personal data, it has to ensure that the method complies with the laws of the country the person is in. 

Often, businesses have a lot more data than they realize, stored in different formats and maintained across different storage locations. This scatteredness makes it difficult to ensure that processes are compliant, which could land companies in hot water. As an example, in July of 2021, Amazon was ordered to pay $886.6 million for breaching data regulations.

So, how can companies avoid the financial and reputational cost of non-compliance? With data flow mapping.

What is Data Flow Mapping?

Data flow mapping is a visualization of a company’s stream of information and data. It’s a visual chart that shows, among other things, where data is stored inside an organization’s databases and which applications make use of it. When organizations have a full overview of their data like this, they can make informed decisions about their compliance efforts. Especially for companies that operate in a number of countries with different data laws, data flow mapping can help highlight where appropriate safeguards need to be applied.

Other aspects of data flow mapping take into consideration the devices and applications that are used to process personal data, as well as the people who are responsible for those functions. It equally looks at how data is transferred between functions within the organization.

Decision-makers and managers share data flow maps with software engineers, database administrators, testers, and other stakeholders to provide a comprehensive and transparent perspective of all data processes.

Data Compliance and Mapping

Data flow mapping ties into data privacy compliance because it shows where data is stored once it’s captured, how it is being used, and if it is shared with third parties. If a company has data or handles it in a way that doesn’t comply with data privacy laws, organizations can act accordingly. But businesses have to first know where the data lives in order to secure it and change the flow.

Automated mapping is much more efficient than manually combing through systems to understand where data lives inside the organization and which applications use it. Mapping can reveal red flags like applications or parts of the system that are accessing data when teams don’t realize, or if internal structures use personal identifiers (for example, social security number) as a reference to a user. All in all, automated mapping keeps organizations in the know when it comes to their data.

Data Privacy Compliance

The conversation around data privacy compliance has become particularly loud in recent years. As more data is produced, (estimates say 2.5 quintillion bytes every day) and more companies adopt data-driven business models, new regulations have been created to ensure that people’s personal information is kept safe. 

Organizations that do not comply with data guidelines and rules risk large fines, suspension from business activities, and mandatory team retraining. Not to mention, they could be deemed untrustworthy by the public and lose a substantial amount of users. Examples of data privacy compliance legislation include HIPAA, GDPR, PCI-DSS, CCPA, PIPEDA, POPI, and LGPD.

CCPA, CASL, and GDPR Impacts

Three of the best known—and perhaps most feared if you’re a large B2B or B2C tech company—data privacy compliance regulations are the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR), and Canada’s Anti-Spam Law (CASL). The introduction of these regulations has forced businesses to be more attentive to their data protocols and take ownership of unfair or misleading data practices. 

The CCPA came into effect in 2018 and specifies the requirements to identify, manage, secure, track, produce, and remove consumer privacy information in the state of California. The act also states that people have a right to know what information is collected about them, if that information is sold, and that people are entitled to opt out of the process. The price for not doing so ranges from $2,500 to $7,500 per individual violation. While some would think since this is not a country-wide regulation it is not as impactful, but keep in mind that California is home to Silicon Valley, the headquarters of a huge number of tech companies. 

Further north, Canada’s Anti-Spam Legislation (CASL) was introduced in three different stages between 2014 and 2017 and is a federal law that combats unwanted digital content and electronic threats. The law applies to emails, texts, and other electronic messages that are connected to “commercial activity” (i.e. businesses) and requires organizations to get consent from recipients before sending messages to the public. Organizations that don’t follow the rules set in CASL face penalties up to $10 million, as well as criminal charges. 

In the European Union, GDPR was enacted in 2018 and provides parameters for sensitive data such as biometrics, criminal history, and genetics, alongside more general personal data. The regulation says that all companies, no matter where they are based, must get consent to collect personal data and that they can only retrieve data that is clearly related to a business objective. Penalties for not complying with GDPR are high—up to €20 million ($23 million USD) or 4% of companies’ annual revenue. Amazon, H&M, and Marriott have all had to pay hefty GDPR fines since the regulation was enacted.


No business can underestimate the importance of data compliance in the digital world. Data compliance can’t be an afterthought, it has to be an integrated component of companies’ daily strategies. But checking compliance in complex applications, sometimes located in hard-to-find database tables and columns, is challenging, which is why more organizations are getting support from tech experts that can shine a light on their data flows.

Are you ready to dive into your data? Want to know if it’s going somewhere it shouldn’t? Try CodeLogic now to see how we can help.

Scroll to Top