Data Maps and Data Inventories: A Comparison of US Law, EU Law, and Soon-To-Be EU Law

In the United States companies are not required to inventory the type of data that they maintain, or map where that data flows in (and out) of their organization. That said, knowing the type of data that you collect, where it is being held, with whom it is being shared, and how it is being transferred is a central component of most mature data privacy and data security programs. For example, while the law does not require that companies inventory the data that they collect, federal and state law is being interpreted as requiring that companies use, at a minimum, reasonable and appropriate security to protect certain types of “sensitive” information such as Social Security Numbers. It is difficult for many companies to defend their security practices if they lack confidence as to whether they are collecting sensitive information and, if so, where it is being maintained. As a result, while it is not a legal requirement to conduct a data inventory it is, for many, a de facto step to comply with other legal requirements. …data-maps