About Us
Charlyn Ho, founder and CEO of Rikka Law, walking in Washington DC

Who We Are

A boutique technology law firm that drives client success

Charlyn Ho, founder and CEO of Rikka Law, with an abstract technology handshake graphic representing the firm's leadership in technology and AI law

Our Leadership

Meet Charlyn Ho, CEO, Managing Member and Founder

Hand zooming in on a checkmark graphic representing Rikka Law's verified strategic partnerships

Partnerships

Proud to work alongside organizations shaping the future of technology & business

Magnifying glass on an orange background representing Rikka Law case studies and capability spotlights

Case Studies

Capability spotlights offering a closer look at real Rikka engagements

Graphic representing Rikka Law frequently asked questions

Frequently Asked Questions

Answers to the questions clients ask most

What We Do
Rikka Law R icon with a handshake over an abstract blue nodes background representing business and technology transactions legal services

Business & Technology Transactions

Practical legal guidance for the deals that drive your business.

Rikka Law R icon with a green lock over a dark circuit board background representing data privacy and cybersecurity legal services

Privacy & Cybersecurity

Stay compliant in an increasingly complex regulatory landscape

Rikka Law R icon with a VR headset over a dark abstract background representing legal services for startups and emerging technology companies

Startup & Formation

Smart AI-powered legal support built for startups and small firms

Rikka Law R icon with a robot hand over a dark abstract background representing AI governance and automation legal services

AI & Automation

Strategic counsel for organizations at every stage of their AI journey

Rikka Law R icon with a Lady Justice scales statue over a dark abstract greenish blue background representing legal staff augmentation and human capital management services

Human Capital Management

Flexible legal talent when you need it, without the overhead of a full-time hire

Rikka Law R icon with a notebook, pen, and glasses over a dark painterly abstract background representing Rikka Law's practical legal education and training programs for lawyers

Legal Education & Training

Advance your legal career with bespoke training programs

Resources
Abstract green illustration of a lightbulb with a brain inside representing Rikka Law's legal insights and technology law commentary

News & Insights

Analysis on the evolving intersection of law, technology, business, & policy

Before You Deploy AI podcast episode highlighted over an orange magnifying glass background representing Rikka Law's podcast series

Podcasts

Conversations on AI, law, and the technology shaping modern business

Woman holding a film clapperboard over a purple abstract background representing Rikka Law's video resources

Video Library

No-cost, straight-talk video guides on AI and technology law

The cover of Charlyn Ho's, founder and CEO of Rikka Law, upcoming book AI-Savvy Lawyer

AI-Savvy Lawyer

Get early access to Charlyn's book

Charlyn reviewing data privacy compliance checklist, representing Rikka Law's free compliance resources for businesses

Compliance Checklists

Free compliance checklists, ready to download

Rikka Academy logo over a repeating Rikka Law icon background with a dark purple overlay representing Rikka Academy's practical legal training platform for lawyer

Rikka Academy

Elevate Your Contract Drafting and Negotiation Skills

Contact Us
Rikka Academy

What Is a Data Map — and Why Does Your Business Need One?

All Rikka Posts
Person holding a financial spreadsheet and pen representing the process of building and maintaining a data map for business privacy compliance
Headshot photo of Charlyn Ho, CEO Rikka Law Group | Co-Founder Enzio.ai at Rikka Law
Charlyn Ho
CEO Rikka Law Group | Co-Founder Enzio.ai
June 12, 2026·Insights

This is the first part of a four-part series on how to build and maintain a data map. The series is designed to prepare business leaders and in-house counsel to work with their privacy attorney on their privacy policies and practices.

Privacy laws across the U.S. and abroad are asking more and more of businesses: disclose what you collect, honor deletion requests, demonstrate you have controls in place. Answering any of those demands starts with a deceptively simple question — do you actually know what personal data your business handles?

A data map is the tool designed to answer that question. Also called a data inventory, records of processing activities (ROPA), or data flow map, a data map is a structured record of the personal data your business collects, where it comes from, how long you keep it, where it is stored, and who you share it with. Think of it as an inventory — not just of the data itself, but of how it moves through your entire operation.

What a Completed Data Map Looks Like

In practice, a data map is typically a spreadsheet. Each row represents a category of personal data your business handles. Each column captures a relevant detail: the type of data, the people it belongs to, the reason you have it, who else receives it. One map covers one product or service. If your business has a website and a mobile app, each gets its own map — they may collect different data, involve different vendors, and trigger different obligations.

Rikka’s data map template is structured as a spreadsheet with the following fields — a format that maps directly onto the documentation requirements under most major privacy frameworks:

  • The personal data collected (contact information, payment data, device identifiers, etc.)
  • Whether any sensitive personal data is involved (health information, biometric data, government identifiers, etc.)
  • The data subjects — customers, employees, website visitors, job applicants, vendors
  • The source of the data and the reason it is collected
  • How long the data is retained and where it is stored
  • The processors and third parties the data is shared with
  • Whether any cross-border transfers occur

When the Law Requires It

For many businesses, a data map is not optional. The General Data Protection Regulation (GDPR) requires most businesses that process personal data to maintain records of their processing activities. U.S. state privacy laws — including those in California, Colorado, and Virginia, among a growing number of others — have similar documentation requirements, particularly for businesses that handle sensitive data or engage in higher-risk activities like targeted advertising.

These laws apply based on how many consumers’ data you process or how much revenue you derive from selling data, not on where your company is headquartered. If you collect data from residents of a state with a privacy law, that law may apply to you.

Even where explicit documentation is not required, regulators and courts frequently look to a company’s data map as evidence that it takes its privacy obligations seriously.

A Living Document, Not a One-Time Project

A data map is only as useful as it is current. Most privacy frameworks that require data mapping also expect businesses to keep their records up to date. The first time you complete one will take the most effort. After that, maintaining it is largely a matter of updating entries when your data practices change — which brings us to the rest of this series.

What This Means Going Forward

Before you can write a compliant privacy policy, respond to a consumer rights request, or assess whether a new vendor creates compliance risk, you need to know what data your business actually has. A data map is where that process starts. The next part in this series covers the foundational terms — personal data, sensitive data, processors, and third parties — that you need to understand before you can fill one out accurately.

Rikka works with businesses at every stage of the data mapping process, from the initial build to ongoing maintenance. Contact us to talk through what your business needs.

This content is for informational purposes only and does not constitute legal advice.