GDPR Data Mapping: What is it and how to comply 

Data mapping under the EU GDPR

To comply with the EU GDPR (General Data Protection Regulation), organisations need to map their data flows to assess privacy risks.

Organisations must identify what personal data they process, where it comes from, where it goes, and what systems and processes are used to store, transfer or process the data.

This data mapping process will help organisations:

  • Understand what personal data they hold and why;
  • Identify and assess any risks to individuals’ privacy;
  • Put in place measures to mitigate those risks; and
  • Comply with their obligations under the GDPR.

Data mapping is also a useful tool for DPIAs (data protection impact assessments).

For comprehensive guidance and practical advice on complying with the GDPR, read our bestselling book EU General Data Protection Regulation (GDPR) – An implementation and compliance guide, fourth edition.

UK data protection law is currently being revised. We are following the progress of the Data Protection and Digital Information (No.2) Bill through parliament and will keep you updated on how it might affect your data processing obligations.

Creating data flow maps

To effectively map your data, you need to understand the flow of data, describe it and identify its key elements.

1. Understand the information flow

Information flow is the transfer of information from one location to another, for example:

  • From inside to outside the European Union; or
  • From suppliers and sub-suppliers through to customers.

2. Describe the information flow

  • Walk through the information life cycle to identify unforeseen or unintended uses of data. This also helps to minimise what data is collected.
  • Make sure the people using the information are consulted on the practical implications.
  • Consider the potential future uses of the information collected, even if it is not immediately necessary.

3. Identify its key elements

  • Data items

    What kind of data is being processed, and what category does it fall into?
  • Formats

    In what format do you store data (hard copy, digital, database, bring your own device, mobile phones, etc.)?
  • Transfer method

    How do you collect data and how do you share it internally and externally?
  • Location

    What locations are involved within the data flow (offices, the Cloud, third parties, etc.)?
  • Accountability

    Who is accountable for the personal data? Often this changes as the data moves throughout the organisation.
  • Access

    Who has access to the data in question?
  • Lawful basis

    Identify the lawful basis used for processing personal data.

The key challenges of data mapping


Identifying personal data

Personal data can reside in multiple locations and be stored in many formats, such as paper, electronic and audio. Your first challenge is deciding what information you need to record and in what format.

Identifying appropriate technical and organisational safeguards

You need to protect information and determine who controls access to it. To do this, you will need to identify the appropriate technology and the policy and procedures for its use.

Understanding legal and regulatory obligations

Your legal and regularity obligations may extend beyond the GDPR. This can include other compliance standards, such as the PCI DSS (Payment Card Industry Data Security Standard) and ISO 27001.

For further information on data flow mapping under the GDPR, download our free green paper

Map your data and become GDPR compliant with IT Governance

We have a selection of tools and GDPR data mapping software that can support your organisation’s GDPR compliance, whatever stage you are at in your project.

To gain complete visibility over the flow of personal data through your organisation and meet the requirement to maintain a record of processing activities under Article 30 of the GDPR, we recommend the Data Flow Mapping Tool.

This tool simplifies the data flow mapping exercise, giving you a thorough understanding of what personal data your organisation processes and why, where it is held and how it is transferred.

The Data Flow Mapping Tool is a Cloud-based application, licensed for up to 15 users. It can be accessed via any compatible browser.

This website uses cookies. View our cookie policy
SAVE 25% ON
FOUNDATION TRAINING