What you need to know about data flow mapping under the GDPR

With the new EU General Data Protection Regulation (GDPR) coming into effect in less than six months, it is vital that all organisations make sure they have accurate data flow maps. As part of a GDPR compliance project, organisations will have to map their data and information flows, which will allow them to assess their privacy risks. This is also the first step for completing a data protection impact assessment (DPIA), which helps organisations to identify, assess and reduce privacy risks.

If your business is not in the EU, you will still have to comply with the Regulation if you want to process EU residents’ data. It is therefore vital that an organisation keeps track of where the data is coming from and going to, as non-compliance with the GDPR can result in hefty fines.

Key elements

To effectively map your data, you will need to understand the information flow, describe it and identify its key elements.

  1. Understand the information flow
    An information flow is a transfer of information from one location to another. For example, from suppliers and sub-suppliers through to customers or inside and outside the EU.
  2. Describe the information flow
    This consists of walking through the information lifecycle to identify unforeseen uses of data, which can help to minimise the data collected. It is important to make sure that the people who will be using the information are consulted on the practical implications and consider the potential future uses of the information.
  3. Identify its key elements
    An organisation will need to look at the type of data collected, the format in which it is stored and the method by which the data was collected. The location of the data, and who has access to it and who is accountable for it will also need to be examined.


One of the challenges of data mapping can be deciding what information needs to be recorded and in what format. Personal data can be stored in a number of locations in various formats, such as paper, electronic and audio.

Another challenge is identifying appropriate technology to protect the information and who will have access. Policies and procedures also need to be put in place to make sure the technology is used correctly and appropriately.

A big challenge is determining your organisation’s legal and regulatory obligations. As well as the GDPR there are compliance standards such as the Payment Card Industry Data Security Standard (PCI DSS) and ISO 27001 that an organisation may need to abide by, not to mention local laws and regulations.

How to simplify data flow mapping

The process of data flow mapping can seem difficult and complex, but it can be made easy with the right tools. Our Data Flow Mapping Tool simplifies the process of creating data flow maps, which can be reviewed, revised and updated when needed.

Meet the terms of the GDPR and understand the flow of data through your organisation >>