Data Mapping may be your best business solution to knowing where your company collects, uses, stores, and deletes data. Data Use Agreements can be the best evidence of compliance with regulations when sharing data with other businesses. 

Businesses control a lot of data, such as Employee Data, Customer Data, and Student Data. The information falls into different categories, such as Demographic Data, Financial Data, Educational Records, Health Data,  Biometric Data, Law Enforcement Data, and Purchasing Histories. In the absence of a comprehensive federal data privacy and security law, the handling of each type of data is governed by different laws and enforced by separate regulatory authorities. 

The first common denominator to compliance with all of them is knowing what data the business has, also called its data inventory. You must know what it is, where it is, what you are doing with it, and who else is sharing the data. The second is a quality data use agreement that is not overly broad or inaccurate, but that will evidence compliant management of the data shared with other businesses. 

These two tools will let you know:  

Is any data being share with a third party who did not get permission to have it?

Are you providing data subjects timely service when they request it? 

Have any malicious actors accessed data in your control without your permission?

Is your company otherwise allowing itself or others to mishandle the personal information of others?

Data Mapping is a term that is used to describe the process of showing what data comes into your business, and in what categories it belongs. Each is governed separately in the U.S. and by the various states, as well as by overseas authorities when it is shared with offshore entities. Separating the types of data into their categories and levels of sensitivity will enable your business to know many things about the data. It shows who in your company has access to it, what they are doing with it, how it is being protected, how long you keep it, and who you share it with. When it is no longer active or necessary a data map shows when it can be moved to safer offline electronic or paper storage, eventually to be destroyed when it is legal to do so. 

Data Use Agreements are contracts companies enter into with each other to mutually agree upon how each party will use and share data that is necessary to conduct their business functions with each other. For example, a company with an online website that offers an employee portal, or allows a customers to make an online purchase, are sharing data with the website vendors that operate their website and process their payment functions. Since each business is responsible to know the data compliance level of all of its vendors, these agreements must be individually tailored and can serve many important functions. It is also crucial that a company not sign a data use agreement or other contract that is overly broad or copied from another company. The business must understand the obligations it is accepting. Regulators have been very harsh with companies that promised to take data precautions but failed to take them. 

Starting data compliance by creating data mapping and data use agreements will make the other steps to compliance far easier.