Source of this process: SAFETAG - "Data Assessment" ( https://safetag.org/guide/#section4.9 and the specific data mapping exercise at https://safetag.org/guide/#section4.9.9) in Full Guide (PDF linked from https://safetag.org/#audit); source at https://github.com/OpenInternet/SAFETAG/tree/master/en/methods/data_assessment (With a modified version of https://www.level-up.cc/leading-trainings/training-curriculum/activity/backup-matrix)..+)
This works especially well for organisations that are doing this for the first time and haven't had the time and space to think about information and how it flows across the information.
Step 1: Organise the group into their teams (i.e., HR / Admin, Communications Team, Project based teams).
Step 2: Then ask each team to think about the list the following:
The point here is to be as specific as possible.
Step 3: Each team looks at the information they produce and collect to list down:
To do this as specific as possible. Usually, do this for three examples of information / team. Step 4: Prepare a blank wall where each team can post the following:
Usually, informational paths and channels will emerge here as well as a list of the critical information that each team collects or produces
Step 5: On separate post-its ask the group to note how this information is shared across the organisation. The result of this exercise is to get the organisation to start thinking about the data that they produce and collect, and the life cycle of such information.
The process is to ask the group to put specific information types into three categories:
This mapping can also be used to figure out public, internal and confidential communication channels and security policies at a later stage.