GDPR data mapping

Gartner predicts by 2023, 65% of the world's population will be under a modern privacy law. 

It started with the passing of GDPR in 2016, followed by CCPA in California, LGPD in Brazil while China & India have their draft privacy bills out. 

Privacy laws across the world put obligations on how businesses use or handle data and have penalties in case an individual’s privacy or security is breached. A starting point for compliance is to know what data you are processing. Data Mapping is the process of finding out answers to these questions:

  1. Why do I process data?
  2. What data do I process?
  3. Where do you process data?

With answers to these questions, you know the right risk exposure of your company to these laws, you also know what are the systems or applications where data including sensitive data is stored and link it to a legal basis in the privacy laws. 

Although data mapping was done by businesses to comply with GDPR, it’s a starting point for compliance with any privacy law and a foundation for your privacy program. Data Mapping is also a major control in frameworks like NIST Privacy Framework, ISO 27701 and can help you get those certifications.

Table of Contents

  1. What is data mapping?
  2. Benefits of data mapping
  3. Precursor to a successful data mapping
  4. Best practices for data mapping
  5. Creating GDPR Article 30 Reports
  6. Tools for GDPR Data Mapping
  7. Steps to ensure data maps are updated

What is Data Mapping?

Data Mapping is the process of finding out how your organization uses data. It starts by answering these questions:

  • Why do I process data or Processing Activity: This answers, why do I process data? Processing Activity is a business process where data is used to achieve a business outcome or goal. These processing activities are part of a business function and there is some team member who owns the process defining what happens and outcomes. Common examples include:
    • Responding and Resolving Customer Support
    • Web Tracking
    • Account Management for your product or service like login, registration
    • Recruitment
    • Processing payroll of employees
  • What data do I process or Personal Data Mapping: Next step is to associate personal data to a processing activity. Asking whose data are we processing here and what is the data that we process can help you with this step.
  • Where do I process data or Mapping Data Flows: Once you have defined your processing activity, the next step is to map the flow of data across different systems, applications, third parties like vendors. You should ask the following questions:
    • Where does the data come from? Which system or application is being used to collect the data from individuals?
    • Where does the data go from the collection point for storage or processing? Usually this would be a database, storage system or even software and SaaS applications.
    • Where is the data accessed or used? This would be your dashboards, software or applications and even team members creating reports on excel.
    • Where does the data go for archival or destruction?
    • Location of all systems or vendors listed here should be mapped and can then be used to identify cross-border transfers.

Getting answers to these questions should get you a complete picture of how data is flowing across your organization. You should be able to create a data flow mapping diagram like the following:

Data flow diagram for GDPR data mapping
GDPR Data Flow Mapping Diagram


Benefits of data mapping

  1. Bird’s eye view of data processing: You can’t protect what you don’t know. By doing data mapping you will get a clear picture of your company's use of data, privacy risks and a list of processes, systems and third parties where you can prioritize security safeguards.
  2. Identify privacy risks: At the end of data mapping exercise, you should be able to search any processing activity where a special category of data is being used or if legal basis is legitimate interest and you haven't done legitimate interest analysis. These privacy risks and gaps can then be taken up by you.
  3. Identify cross-border transfers: Using location of systems & vendors which are linked to your processing activities, you can easily identify cross-border transfers and mitigate the same by applying appropriate safeguards like a standard contractual clause.
  4. Prioritize security safeguards: Once you finish data mapping, you will realize you have a lot of systems and vendors used for data processing. Protecting all of them at the same level is a time consuming and costly process, by using categories of data or individual type you can easily prioritize security safeguards for these systems & vendors. For example, a vendor which is processing payroll information needs more protection & a more thorough risk assessment than someone who just has email addresses.
  5. Manage DSARs and individual rights: Another benefit of data mapping is that you get a list of assets, vendors with their owners where data of a specific individual is stored. For data mapping example, if you get a deletion request from a customer, you can filter to get the list of assets & vendors which have data of a customer and ask owners to delete the same.
  6. Comply with data processing principles of GDPR: When you have a list of processing activities, you can easily audit them against the GDPR principles of lawfulness, fairness and transparency. 
  7. Generate Article 30 Reports: Key outcome of data mapping is that you get a Record of Processing Activities or GDPR Article 30 report. This can be maintained and shared with the regulatory authorities on request. We have covered the requirements of Article 30 Report in the Report section.

Precursor to a successful data mapping

Data mapping done right has a lot of benefits but it’s important to realize that it is an exercise which requires resources from multiple people in an organization. We have detailed some key steps to make your data mapping exercise successful:

  • Management Buy-In: Since data mapping requires involvement from multiple teams, it’s important to first get buy-in from the management on why resources are being used in this project. If different teams see that this project has been backed by management then it will be easier for you to get their time and answers on questions. Your buy-in presentation should cover:
    • What is GDPR?
    • Cost of non-compliance: Highlight that it can be up to 10 Million Euros, showing a trend of fines over years is a plus and can really drive alignment. Enforcement Tracker has some great graphics that you can use.
    • Give example of recent fine and how data mapping could have prevented it
    • Benefits: Refer to the benefit section to create a compelling slide
    • Resource Planning and Timelines: It’s important to highlight if you will need project managers to help you, also highlight what help you need from other team members who will be responding to your questions. Finally, touch on how long the project will run.
    • Budget for privacy consultants(if applicable)
  • Kick-Off Meetings: Congratulations on getting the management buy-in, we still need to ensure our respondents who are in different business functions understand the scope of the project. Kick-off meetings can be used to explain the role of each business function, answer their doubts, reinforce why this project is important to the organization.
  • Workshop: A great way to end these kick-off meetings are workshops. Here the idea is for you to simulate the questions and walk through with two-three members so that everyone gets expected answers, and asks doubts. We have observed a lot of people ask questions in these workshops and it leads to a successful data mapping exercise.
  • Leverage your existing knowledge: Your IT or Security team already might have done some work and you might have one or more of the following:
    • List of digital and physical assets
    • Any asset scanning or data loss prevention tools that can help tag systems
    • List of processes that you might have gotten from business impact assessments as a part of business continuity

Best Practices for Data Mapping:

  • Define Processing Activity: The biggest challenge in getting information for data mapping is an empty state, that leads to inertia for people to give answers. This is why we recommend breaking the questions in two phases, first step should be to define key business processes:
    • Processing activity: What do you do daily, weekly, monthly? What are your KPIs? These questions will give you a list of processing activity
    • Data Processing Information: Whose data is this? What data do we use in this process? What is the country of this individual?
  • Getting more information: Once you have basic information, you can send a detailed assessment for each of these processes where you can ask questions around Purpose, Legal Basis, Consent, Rights, amongst others
  • Data Flow Mapping: The final step to complete is to map your internal assets, vendors, third parties to each process. IT, Engineering teams have this information, leverage the asset register that IT might already have and start from there. Ensure location, Technical and Organizational measures are associated to finish the data map.
  • Finding Gaps: After the initial information collection, you will sit on a heap of data. It’s important to find the gaps that exists currently. Some of the common ones are:
    • Transfers: Do we have appropriate mechanism for cross-border transfers?
    • Consent: Is our consent as per GDPR standard?
    • Privacy Notice: Have we included all purposes and legal basis of processing in our privacy notice?
    • Employee notice: Are we giving privacy notice’s to employees. This is generally overlooked and can be a major area of non-compliance
    • Technical and Organizational Measures: You should prioritize security budget towards high risk processes where sensitive data is being used or processing itself has risks.
    • DPIAs: Identify processes where a DPIA is needed
  • Creating Reports:
    • ROPA or Article 30 report
    • Asset Maps: Visualize how your assets are placed globally
    • Cross-Border Transfers: Visualize data transfers between geographies
    • Data Flow Diagram
Cross Border Transfer Map
Cross Border Data Maps

Creating Record of Processing Activity(ROPA) or GDPR Article 30 report

If you are an organization based in the EU and you complied with the 1995 directive, you should be already familiar with data mapping. The 1995 directive required registering processing activities with local DPAs. With the implementation of GDPR, an organization does not need to report its processing activities to the DPA. Instead, it must maintain an internal record and keep it available for review by a supervisory authority. This internal record is termed as “record of processing activities'' or Article 30 report. There are different requirements for data controllers and data processors, given in Article 30(1) and 30(2) respectively. 

GDPR Article 30 Report
Sample GDPR Article 30 Report by Privado Data Mapping Tool

For controllers, Article 30 states that the controllers should maintain the following records as a minimum:

  1. Controller's name and contact details, along with joint controller if applicable
  2. Purpose(s) of processing
  3. Description of categories of data subjects and categories of personal data
  4. Categories of third parties with whom data has been or will be disclosed, including recipients in third countries or international organizations 
  5. If a controller is transferring personal data to a third country or an international organization, such country/organizations should be identified, and safeguards should be documented.
  6. Expected time limits for erasure of the different categories of data
  7. Description of technical and organizational security measures (Article 32(1))

Requirements for processors, given in Article 30(2) cover the processor's information, categories of processing for each controller, along with fifth and seventh bullet points from the list mentioned above. These records can be maintained in electronic form, and a controller/processor's representative shall make them available to a supervisory authority as and when requested.

Tools for GDPR Data Mapping

You are most likely to use tools & templates such as gdpr data mapping template in spreadsheets and Microsoft Visio to start data mapping and for maintaining data records and visualizing data flow. Without a doubt, they are great tools in their rights, but you will soon find challenges to manage data & may come across challenges such as:

  • Lack of compatibility between Excel and Visio: If you update your processing activities, you will also need to update your data flow mapping diagram(s).
  • Lack of automation: Generating reports, finding gaps will take a lot of time
  • Management Dashboard: Presenting benefits of data mapping to the management will require you to create a lot of visual reports manually
  • Searching, sorting and Filtering: For prioritizing assets, processes or vendors where risks exist you will need to search or sort by data categories, individual type or legal basis. Doing this in excel will take a lot of time and manual efforts.

We have built Privado’s data mapping solution after struggling with spreadsheets and visio for data mapping which automates all your manual tasks and generates reports in one click. You can choose any of our assessments from our library of over 100 privacy & security questionnaires and assign it to any of our team members. Once you get the response, we automatically draw data flow diagrams, find compliance gaps and risks for you and make it very easy for you to prioritize by letting you search, sort and filter. 

Steps to ensure data maps are updated

Companies are dynamic, each month your team will like to do more by adding some features to the product, extending the scope of the vendor you chose or changing data collection of an existing process. It is important for you to have a process to ensure your data maps are updated and are not in point in time. We recommend the following two things:

  1. Assessments for new changes: We recommend you to do a Privacy Threshold Assessment and based on responses either do a PIA or DPIA based on certain triggers. The responses to these assessments should update your data maps by creating a new process or updating an existing one.
  2. Reviews of existing process: You should also send a bi-annual or annual review assessments to the owners of processes and capture any changes made in your data maps.

You can use Privado’s data mapping tool for automating these assessment workflows and ensure your data maps are always updated. You can also schedule a call with an expert to discuss your data mapping strategy.