Laying the Foundation: Data Mapping for a US-Based Non-Profit

A US-based non-profit promoting fair consumer treatment needed support in understanding and mapping of their personal data processing activities.

Myna created documentation of the processing activities, IT assets and third-parties processing personal data, to provide a foundational understanding of the organization’s data processing activities. The client required a manual creation of their data inventories and undertook this exercise as a regulatory check to ensure the organization was following the same fair consumer treatment it promotes.

The organization wanted to ensure it was both “talking the talk” and “walking the walk.”​


Our Approach

Myna worked with the client developing an approach that maximized efficiencies and provided a comprehensive mapping of all data processing activities for 15 departments.​

  • Myna led 17 data gathering workshops with the key stakeholder and process owners in each department both onsite at the client’s offices and virtually.​
  • Completed and verified spreadsheet-based data inventories for each of the processing activities within each of the 15 departments. This resulted in a total mapping of 55 different processes.​
  • Completed and verified spreadsheet-based data inventories covering 42 systems and 48 third-parties used across the processing activities for each department.​
  • Led weekly support and guidance calls virtually to assist them in verifying and completing their data inventories.​
  • Led training call explaining the methodology behind the data mapping inventory and how to read, utilize, and update the sheet as the organization continues to mature its privacy practices.​

Program Outcomes

All 15 organizational departments have completed data inventories, capturing the life-cycle of personal data for each process and identified associated IT assets and third-party processors.​

Data Inventories providing support for updating the clients Privacy Notices, Data Subject Rights Process and supporting the continued maturing of the organization’s privacy program.​

Executive presentation to senior stakeholders, summarizing high-level observations, and providing recommendations to mitigate gaps and risks observed.