Enterprise Data Mapping: A Foundational Requirement Under Updated CCPA Regulations

A host of new cybersecurity audit requirements are now in force under the California Consumer Privacy Act (“CCPA”), spanning 18 security and governance control domains. Among the new requirements is a requirement for covered organizations to maintain an “inventory and management of personal information and the business’s information system.”1 In simplified terms, the CCPA now requires a data map of personal information an organization stores, including documentation of where it is stored, how it flows across systems and how it is accessed.2

Updated CCPA regulations became effective on January 1, 2026, expanding the scope and operational expectations of California’s sweeping privacy framework.3 New obligations for in-scope organizations include formal risk assessments, annual cybersecurity audits and enhanced consumer rights processes related to the use of automated decision‑making technologies.

A previous FTI Consulting article addressed these regulatory changes at a high level. This article focuses on a core operational requirement that underpins compliance across multiple provisions: enterprise data mapping. In particular, it examines how the data mapping requirements embedded within the CCPA Article 9 cybersecurity audit framework require organizations to identify, document and map personal information throughout the data lifecycle.

Establishing and Scaling Enterprise Data Mapping Capabilities

FTI Consulting’s cybersecurity and data privacy experts work with clients across diverse regulatory, operational and technology environments and have demonstrated that a structured, four‑phase approach can effectively operationalize enterprise data mapping programs. The initial foundational phases focus on establishing scope, governance and data quality standards, while later operational phases emphasize executing data inventory activities at scale and producing actionable outputs.

Phase 1: Identify
The first phase establishes the data mapping scope and structure, bringing together legal, compliance, privacy, information technology, security and business stakeholders to align on objectives and applicable regulations. Teams should review existing documentation to understand the organization’s current state and leverage prior investments in information governance.

Key activities:

  • Conduct stakeholder kickoff meetings
  • Define applicable privacy and compliance requirements
  • Identify high‑risk data use cases and processing activities
  • Review existing policies, asset inventories, data classification standards and retention schedules
  • Identify gaps in current documentation
  • Develop a prioritized list of in‑scope assets and processing activities
  • Identify subject matter experts responsible for assessments

The key output of this phase is a discovery matrix outlining the business processes and assets to be included in the data map, along with identifying their respective owners. 

Phase 2: Pilot
The objective of this step is to validate the data mapping approach prior to full‑scale execution. A limited set of assets and processing activities is used to test assessment questions, workflows and response quality.

Key activities:

  • Configure the data inventory repository and assessment templates
  • Establish respondent and approval workflows
  • Define initial risk criteria
  • Conduct facilitated pilot interviews or guided assessments
  • Refine assessment questions, workflows and data standards based on pilot results

Phase 2 may include the configuration of privacy management technology and subsequent stakeholder testing. This ensures the questions, multi-select options and flow of the data mapping assessments are sufficiently streamlined to reflect the nomenclature and culture of the organization. 

Phase 3: Interview
In Phase 3, the data mapping program is executed across the identified population of in‑scope assets and processing activities. Assets are grouped into prioritized batches to enable efficient rollout and completion.

Key activities:

  • Confirm batching and prioritization strategies
  • Distribute survey‑based assessments or conduct “white glove” interviews
  • Collect detailed data attributes and document data flows
  • Review responses for completeness and accuracy
  • Conduct follow‑up interviews and validations as needed
  • Compile a comprehensive enterprise data inventory

Phase 4: Report
In the final phase, organizations focus on analyzing data mapping results and establishing a sustainable operating model. Inventory outputs are evaluated against regulatory requirements and organizational risk criteria to identify gaps and remediation opportunities.

Key activities:

  • Analyze inventory results against privacy and security requirements
  • Identify risks, trends and control gaps
  • Develop key metrics and executive‑level summaries
  • Deliver a formal data inventory report with remediation recommendations
  • Establish procedures for ongoing inventory maintenance
  • Develop training materials and user guides
  • Integrate data mapping into broader privacy and governance programs

Using both quantitative and qualitative methods in Phase 4 is critical to realizing the full value of data mapping. A well‑structured analysis allows organizations to move beyond documentation and translate inventory outputs into clear, risk‑based priorities and actionable remediation initiatives.

Using Data Mapping to Identify Gaps and Prioritize Remediation

Aggregated data mapping results can quantitatively highlight systemic gaps across the organization. For example, analysis may indicate that 60-70% of in‑scope systems have undefined or unknown retention periods. This type of insight provides a clear, defensible basis for prioritizing investment in a formal data retention and deletion program, particularly where regulatory requirements mandate data minimization and storage limitation.

From a qualitative perspective, data mapping can reveal control weaknesses tied to specific business processes or data flows that could potentially lead to compliance gaps. The data map may identify that the systems that serve as primary entry points for personal information lack associated privacy notices or pre‑collection disclosures, signaling the need to focus remediation efforts on implementing or enhancing pre‑collection notice mechanisms.

When analyzed holistically, data mapping outputs serve as a diagnostic tool that informs broader privacy, cybersecurity and information governance initiatives. By linking inventory findings to concrete operational decisions, organizations can effectively allocate resources, address regulatory risk and demonstrate a risk‑based approach to compliance.

Article 9: Cybersecurity Audits

Data mapping is now solidified as a formal compliance obligation under CCPA Article 9 §7123(c)(4), which requires an organization to submit an annual cybersecurity audit attestation to the California Privacy Protection Agency if it meets any of the following criteria:

  • Derives 50% or more of annual revenue from selling or sharing personal information
  • Exceeds $25 million in annual revenue while processing personal information of 250,000 or more consumers
  • Exceeds $25 million in annual revenue while processing sensitive personal information of 50,000 or more consumers4

Organizations with annual revenues exceeding $100 million must submit their initial certification by April 1, 2028, with smaller in‑scope organizations required to certify in 2029 or 2030, followed by annual submissions thereafter.

The Impact of Expert Guidance

FTI Consulting supports organizations at every stage of the data mapping lifecycle, from initial scoping and regulatory interpretation to full‑scale implementation and audit readiness. Multidisciplinary teams combine privacy, cybersecurity, information governance and technology expertise to help organizations design and operationalize defensible data mapping programs aligned to CCPA Article 9 requirements.

FTI Consulting aligns regulatory expectations with operational realities, transforming data mapping from a compliance exercise into a strategic program that strengthens privacy, cybersecurity and enterprise risk management.

Footnotes:

1: Cal. Code Regs. Tit. 11, §§ 7000 - 7306.

2: Id.

3: Id.

4: “California Consumer Privacy Act (“CCPA”),” State of California Department of Justice (March 13, 2024).

Related Insights

Published

June 22, 2026

temp Key Contacts

David Manek

Senior Managing Director

Colleen Yushchak

Senior Managing Director

David Farber

Managing Director

John Goff, Jr.

Managing Director

Kenric Tom

Managing Director

Most Popular Insights

  1. Hybrid Energy Strategies for Data Centers Expose Complex Constraints
  2. Venezuela’s Oil Sector Recovery: Navigating the Post-Maduro Investment Landscape
  3. How the War on Iran Is Reshaping Transportation & Logistics
  4. Four Predictions for Private Equity in 2026
  5. Global CFO Survey 2026

Sign up to get access to FTI Consulting Insights

Subscribe