6 Steps to Mapping Your Data

Take inventory of all types of data you collect, such as:

• Combined Data: Personal, Transactional, Financial, Web session
• Transactional Data: Purchase record, Confirmation number, Invoice number, Shipping/Tracking number, etc.
• Customer data (non-sensitive): Email, Phone, Address, Loyalty info, etc.

Map your data from most sensitive to least. These decisions are often nuanced and will depend on your business and your users. Here are some examples that will guide you as you consider the data you collect and the risk to your users' privacy:

• Any data collected from or about children is highly sensitive
• Non-PII (personally identifiable information) behavioral analytics are typically considered less sensitive
• Location data can be sensitive and may even implicate a user's personal health

To identify risk, reduce possible notification fatigue, and optimize input flow by reducing friction, keep track of when and where you are communicating with your users. Specifically, note:

• Everywhere a notification is given
• Everywhere permission is requested

Don't assume a process is understood or apparent. To understand the process and the events you are building into your product, note:

• The details of the process
• If and how the data is transformed
• Where and how the data is stored

To determine if you are collecting too much data, identify:

• Any data inputs that might be redundant
• Any functions that can use less data

To determine if the data you collect is necessary, find the destinations of each process:

• If the process doesn't require the data, delete it

• If the process does require the data, secure it