Background
Our Founder, Nathan Good, met a Director of Data Privacy from a large company at a conference eight years ago. After this person joined another company as Chief Privacy Officer, they reached out to Nathan for help in developing a scalable solution to their privacy problem. The company builds and manages multinational digital communications technology.

Motivation
The company regularly produced data privacy sheets, documents that describe the processing of personal data. However, the privacy team wanted the data privacy sheets to better communicate their data practices to a wider audience. The existing privacy data sheets were too dense, with too much information and limited the reach. They were used by auditors and compliance teams, so included a vast amount of details that were not as relevant for a wider audience. We worked with a small, internal team to create a completely new visual format to communicate the same key concepts but for a wider group of people, from potential customers to internal teams to privacy auditors. The goal was not to replace the existing privacy data sheets but to augment them. These “data maps” would be the first layer - easy to understand quickly - while the privacy data sheets would be sublayers containing all the fine-print details that interested stakeholders could read if they wanted to learn more. With the Data Map Project, the company wanted to establish themselves as a leader in data privacy while respecting users’ privacy concerns and complying with legal regulations.

Approach
We started by reviewing a substantial number of existing privacy data sheets for various products to tease out the critical elements that should be represented in the visual format. The sheets included types of personal data collected (e.g. email, uploaded files, network metadata), the purpose for its collection and use, any security measures taken to protect the data, a map with their data center locations, and deletion/retention rates. Much of this information was for compliance and auditing purposes, as well as to provide in-depth detail on what exactly the company collected and why. This process allowed us to look for patterns, common data types, and important processes that we could translate into a visual map. We distilled the elements from the sheets, which involved condensing, combining, and cleaning the terminology to be used in the visualization. After several iterations, we came up with a “data map” which takes the idea of a “subway map” as a metaphor for how data travels and is processed through a company’s data ecosystem. After the initial data map project, we wanted to automate and scale the process so we created the Data Map Tool. After testing the tool, we made additional improvements, as well conducted training workshops to teach other employees how to use the Data Map Tool and the entire data map creation process itself.

Outcomes
The project was a success, not only because the company created data maps for 20+ of their other products, but also because we were able to scale and automate the process by creating the Data Map Tool. Both the data map project and the subsequent Data Map Tool allowed the company’s internal teams to adhere and adapt to a more uniform, consistent format of creating privacy data sheets. Building the data maps also (inadvertently) spurred more internal conversations between teams on what data was actually being collected, and for what purpose, which led to more scrutiny on data collection overall.

Challenges
Distillation
To our knowledge, there hasn’t been a tool for visualizing the flow of personal information through an enterprise before, so we had to design everything from scratch. There were many iterations before we hit the right balance of the amount and categories of data we wanted to showcase without overwhelming the map. It took a lot of trial and error to refine the processes so we could boil down the key components without losing anything important or risking inaccuracy.

Automation
We also had to figure out an effective way to scale and automate the map creation, since the initial maps were done manually. This led to the eventual creation of the Data Map Tool, which was a tool we had to build from scratch and figure out along the way. In fact, there ended up being two versions of the Data Map Tool: an initial version that ingested the distilled data and produced a basic map and a second, improved version that produced a visual that required less clean-up in the final stage.

Conclusion

This case started with a chance encounter at a conference that led to a new collaboration. Although the project was a new idea and our teams had never worked together before, we were able to co-design and build a brand new thing from an idea. Not only were we able to prototype the idea, we were able to replicate it across products, and build a tool to do this at scale. We’ve since worked with the company to bring this tooling to other companies.

Thanks to Jared Maslin and Jessica Traynor.