6 minutes reading

Information Governance | 6 Steps To Creating A Comprehensive Data Map For eDiscovery

Every day, the volume of electronically stored information (ESI) that organizations must manage grows more staggering. In May 2021, the World Economic Forum reported that each day on Earth, humans generate: 

  • 500 million tweets,
  • 294 billion emails,
  • 4 million gigabytes of Facebook data,
  • 65 billion WhatsApp messages, and
  • 720,000 hours of new videos on YouTube. 

The Forum also estimates that this already mind-blowing volume expands at an estimated compound growth rate of around 61 percent.

As in-house counsel, you’re not facing quite that scope of data, but you’re likely nonetheless dealing with an overwhelming amount—especially if your organization’s data hasn’t been managed properly. That’s why you need to create and maintain a comprehensive Information Governance data map for eDiscovery. 


What is a data map?
Why your company needs a thorough data map
How to create a data map for an efficient eDiscovery process
1. Include the right people on the team
2. Ask the right questions
3. Build a data inventory
4. Track all information governance policies and procedures
5. Structure your data map
6. Maintain your data map
Manage growing data volumes with an eDiscovery solution

report on ipro website-large


Download the report to learn why 85% of eDiscovery and corporate digital forensics professionals are using an AI solution to automate repetitive eDiscovery tasks.

What is a data map? 

A data map is a comprehensive inventory of a company’s data and IT systems. A data map should list all of your organization’s IT systems and sources of ESI, along with pertinent details about each source. Specifically, it should include: 

  • the types of data your organization generates, uses, and stores;
  • where your ESI is stored, whether in current or legacy systems;
  • your data custodians, including the systems they use; and
  • your records retention policies. 

Given the amorphous, vast, and ever-changing nature of data—and especially with our pivot to remote work during the pandemic—you want your data map to be an adaptable inventory of your IT network. To keep it current, you’ll also want to establish a schedule for regularly reviewing and updating your data map. 


What does your organization gain by creating this type of data map? Let’s turn to some of the advantages of comprehensive data mapping. 

Why your company needs a thorough data map 

A data map can give your organization significant tactical and strategic benefits in the event of litigation, regulatory proceedings, government investigations, and internal reviews and audits.

For example, an accurate data map can save you time and effort when you’re preparing to preserve and produce data for discovery. You can use your data map to identify where potentially discoverable data is held so that a subject-matter expert can focus on those data sources during a legal investigation or regulatory compliance request. A data map will prove invaluable when you need to issue a legal hold, because it can also help you pinpoint and preserve relevant data, thereby reducing the risk of spoliation. Further, it will offer support for your position in the event that certain ESI is not reasonably accessible.

Data mapping can also help you assess your organization’s privacy and security risk profile. With a comprehensive data map, you can determine whether your company has adequate security controls, thus preventing data loss and security breaches. You’ll also be able to quantify and manage risks to your data as well as inform compliance with data privacy laws like the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

Additionally, a data map can help ensure that you’ve met your ethical obligations. Federal Rule of Civil Procedure 26(a)(1)(A)(ii) requires parties to share “a description by category and location … of all documents [and] electronically stored information.” More generally, comment 8 to ABA Model Rule 1.1 requires lawyers to demonstrate technological competence. Creating and maintaining a data map shows that you’ve made a reasonable, good-faith effort to document your organization’s IT systems. 


How to create a data map for an efficient eDiscovery process

Creating a clear, comprehensive data map has proved to be an efficient, cost-effective, and integral investment for a company’s information governance and eDiscovery. By taking a proactive approach, you’ll know how your organization generates and stores electronic information, how long that data is retained, and how you can best search for and retrieve that data.

These six steps will help your organization build its own data map. 


1. Include the right people on the team 

Create a team that will facilitate the data-mapping process. Starting with the initial planning meetings, it is important to include team members from IT, legal, compliance, risk management, human resources, data privacy, information security, and each business unit so that your information governance protocols reflect the needs of all stakeholders within the organization.

This team must work collaboratively to break down any organizational silos so that your data map is as comprehensive as possible. This is critical to minimizing disruptions within business operations. 


2. Ask the right questions 

Corporate counsel must know how the company works so that all data sources are included in the data map. So, beginning with the business units, ask how employees create, use, and share data on a day-to-day basis.

In addition to traditional sources of information like computers and email accounts, consider other potential data sources in light of the practical ways that your company culture operates. Ask questions like these: 

  • What tools does your company use? For example, do employees use a project management and business communication platform like Asana or Slack to conduct business? Do they use messaging apps like WhatsApp, Facebook Messenger, or Signal? Do they use social media to communicate with customers? Do they hold meetings on Teams or Zoom?
  • Are the tools your company uses the same across all business units, or do different business units use different tools?
  • Does your company provide all of the technology that your employees use, or do employees also use their personal phones, computers, or other devices? 

3. Build a data inventory 

Using the insights gained by this questioning, the IT department should weigh in on its policies and procedures for processing, maintaining, archiving, and deleting data within your organization. Account for everything, including data archives, backup tapes, legacy software, and retired technologies.

Make sure you consider these common data types: 

  • documents and spreadsheets;
  • presentations, both internally and externally facing;
  • customer relationship management (CRM) database information;
  • conversations from project management and business communication systems;
  • emails, instant messages, and messages from various chat applications;
  • text messages;
  • voicemails, voice notes, and voice recordings;
  • hard-copy documents, including notes, correspondence, and manuals;
  • photos and videos; and
  • meeting and screenshare software. 

Check these common places where employees may store their data: 

  • company-owned computers;
  • cloud storage drives and file shares;
  • internal servers and networking drives;
  • vendor-provided storage;
  • local backup devices, including thumb drives, CDs, and hard drives;
  • mobile applications;
  • websites;
  • social media accounts;
  • legacy systems and devices; and
  • personal devices, such as cell phones, tablets, and computers. 

4. Track all information governance policies and procedures 

While you’re taking stock of your ESI, it’s a good practice to ensure that your organization is following its policies and procedures by deleting any data that is no longer needed. Defensible deletion is a prudent best practice for risk mitigation, ensuring that only necessary and relevant data is preserved.

You’ve probably (hopefully) already drafted and implemented an information governance policy that takes into account any federal, state, and local data retention requirements. Make sure you’ve included this detail in your data map. That way you can double-check that your organization is following its data retention schedules each time you update your data inventory. 


5. Structure your data map 

A spreadsheet is generally the most useful way to organize a data map. Be sure to use “plain English” to describe your IT systems, their purpose, and their role so that nontechnical and nonlegal readers can understand these technical terms and concepts.

Ensure that your data map answers questions about the IT systems, including: 

  • How old is each type of ESI?
  • Has there been any purging, deletion, or overwriting of the ESI? If so, by whom and under what authority and guidance?
  • Who is responsible for suspending purge, deletion, and overwriting activities in the event of a legal hold?
  • What is the native file format of each type of ESI?
  • Where do you store emails, documents, and each other type of ESI?
  • What are the backup policies for each of your IT systems?
  • Who are the proper custodians for each relevant IT system? 

6. Maintain your data map 

eDiscovery data maps are only valuable if they are up to date. Most companies regularly update and upgrade their IT systems, install new applications, and replace old hardware. That’s why it’s so important for a designated individual (likely a member of your legal team) to review your data map at designated intervals (monthly, quarterly, or annually). 


Manage growing data volumes with an eDiscovery solution

A comprehensive data map for eDiscovery offers a fantastic way for corporate counsel to save money, save time, gain faster insights, build institutional knowledge, and learn to predict—and head off—problems.

Data maps are powerful tools in your information governance and eDiscovery arsenal. They can: 

  • identify and explain IT systems in a straightforward, non-technical way;
  • enable effective legal holds;
  • reduce the chance of spoliation of evidence;
  • give you a sound strategic and tactical footing to protect against an opposing party that might seek to use eDiscovery as a weapon;
  • empower you to communicate effectively and knowledgeably about your company’s ESI; and
  • ensure you’ll be the best advocate for the company’s position in the event of litigation. 

Of course, none of this would be possible without modern eDiscovery tools that combine automation, artificial intelligence, cloud-based deployment, and intuitive user interfaces. These tools empower corporate legal departments to understand their data well before litigation strikes.