Data Mapping

Data mapping and inventory are critical components of any privacy program. Understanding how data is flowing through the organization is a pre-requisite to being able to secure the data and analyze the data for risks.

Overview | Data Mapping

For privacy law compliance, it’s vital to have a clear view of the personal data under your control. This involves understanding what data you hold, what it’s for, where it’s located, where it goes, how long you keep it for and what you do with it once you no longer need it. Done in the right way, data mapping gives you precisely the information you need to create such an understanding.

Data mapping has always been good practice for data compliance. However, as we’ll see, the arrival of The General Data Protection Regulation (GDPR) makes it even more of a priority to take data mapping seriously.

For a start, the new law requires that you identify those areas where “the rights and freedoms of data subjects” could be at risk – and to take appropriate measures to manage those risks. Likewise, to reduce the likelihood of a breach, GDPR carries a range of data governance obligations; especially on impact assessments and record keeping. Once your data estate is thoroughly and accurately mapped, it becomes so much easier to stay on top of these obligations.

Here, we’ll outline the essential elements of data mapping, how it fits in with the GDPR – and how to get it right.

What is data mapping?
Data mapping tracks the flow of data to, through and from your organisation. More specifically, a data map (also known as a data flow) should give you the following information regarding the personal data under your control:

  • Where it comes from (e.g. customers, staff and third parties)
  • It’s purpose (e.g. order fulfilment or payroll)
  • The entry point; i.e. how it enters your company (e.g. a telephone call, email or online form)
  • Its format, such as Excel spreadsheet, simple Word doc or CRM customer account page
  • Where it’s stored; such as a filing cabinet, in-house server or Cloud database
  • The country it’s stored in
  • Where it’s accessible from and who has access to it

From sales calls through to order dispatch and beyond, data tends to shift format, location and viewability. This type of data flow is all part and parcel of doing business. To be fit for purpose, your data map should be able to describe your organisation’s “data story” accurately. It may also be that you data map is actually a number of data maps, or data flows.

Essential elements of a data map…

The data map for a multinational consultancy will obviously look different to that of a small online retailer. But while there’s no universal blueprint, all good data maps tend to share the following characteristics.

It covers all data processing activities A map is only truly reliable if it covers your entire “data world”. This involves looking at all areas of the business, identifying each and every instance where data is being processed, the purposes of processing and the individual activities that are involved in that processing.

It’s highly visual If it’s only your IT manager who can make sense of it all, the data map isn’t doing its job properly. Everyone, from the tech-sceptic CEO through to on-the-ground account managers, should be able to refer to that map and see what happens with the personal data your company controls and handles. Diagrams, charts and infographics are all useful visual tools.

How a data map fits in with compliance

Here are some of the key ways in which data mapping helps you get GDPR compliance right.

Your record of processing activities Under GDPR, apart from a limited exception for small and medium sized organisations, businesses are under a duty to keep an up-to-date record of all data processing activities. Data mapping enables you to cover this in a thorough, systematic way. It means that you can identify and visualise the complete flow of data through your business – so it’s much less likely that any processing activities are overlooked.

Protecting data subjects’ rights and transparency The GDPR introduces new rights for individuals and enhances existing rights (all of which you can read about here). Allied to this is the principle of transparency – the duty on businesses to be upfront and explain in the clearest possible way to individuals what is happening with their personal information. Having an accurate and clear map at your fingertips can make it easier to convey the required information to data subjects in the most appropriate way.

New data processing activities and privacy impact assessments (PIAs) A PIA is a process of identifying, assessing and reducing privacy risks. Once the GDPR is in force, you’ll need to carry out a PIA for all new processing activities where there’s a high risk to the rights and freedoms of individuals affected. This could include the introduction of new products, or changes to your data management systems.

As part of your PIA, and using your existing data map, you can track how the proposed new activity alters the flow of data in, out and through your organisation, identifying any data protection issues along the way.

Next steps to take

Here are some tips to help you get started with data mapping. Look for compliance-focused mapping tools The principle of accountability is one of the cornerstones of the GDPR. As well as being compliant, firms need to have the processes in place to actually show the regulator that they are getting things right.

That’s why, when it comes to tools to help you with data mapping, it’s worth honing in on those that are built specifically with GDPR compliance in mind. In other words, look for ones which not only help you map your estate, but also refer directly to your specific GDPR obligations and reporting requirements. The Privacy Compliance Hub for example has a clear templates for data mapping, record keeping and privacy impact assessments that leave nothing out and ensure that everyone in an organisation understands their responsibilities effectively.

Make it collaborative As we’ve seen, data mapping demands examining each area of your business under the spotlight. For this, it’s likely that department managers will need to get heads together with your compliance project manager. Tools that promote easy collaboration during the process of ‘map building’ should be especially useful. Bringing it all together with The Privacy Compliance Hub…

Designed with the GDPR in mind, The Privacy Compliance Hub can help your organisation get all aspects of this new data law right – and includes data mapping capabilities. To discover more, check out our demo.


Data mapping and inventory are critical components of any privacy program. Understanding how data is flowing through the organization is a pre-requisite to being able to secure the data and analyze the data for risks. Maintaining an inventory also helps organizations more efficiently respond to data subject rights request to delete, correct, access, or port their data.

In the EU’s new General Data Protection Regulation (GDPR), organizations are expected to maintain extensive and up-to-date internal records of their data processing activities. According to Article 30 of the GDPR, organizations will be held accountable for compliance with record keeping requirements, with equal responsibility given to both data controllers and data processors.

OneTrust provides a simple and automated solution for data mapping, designed to address compliance with GDPR Article 30 record keeping requirements and self-certification with Privacy Shield for data transfers. OneTrust Data Mapping enables organizations to visualize the entire data lifecycle, maintain an evergreen data inventory (data processing register), identify gaps and track recommendations, evidence and approvals for remediating risk.

Contact us now