Data mapping: Where to start for GDPR compliance

A fundamental part of your EU General Data Protection Regulation (GDPR) compliance project is understanding what personal information you are collecting and processing.

A lack of understanding will make it difficult to ensure that your organisation’s data processing activities comply with the new obligations set out in the GDPR.

Why should you use data mapping in your GDPR project?

Article 30 of the GDPR (Records of processing activities) states that organisations must:

maintain a record of processing activities under [their] responsibility. That record shall contain all of the following information:

a) the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;

b) the purposes of the processing;

c) a description of the categories of data subjects and of the categories of personal data;

d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;

e) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation

f) where possible, the envisaged time limits for erasure of the different categories of data;

g) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).


The controller or the processor […] shall make the record available to the supervisory authority on request.

Although Article 30 doesn’t state how to meet its requirements, data mapping can be a useful method.

Key elements of a data map

Data mapping allows you to identify the information that your organisation keeps and how it moves from one location to another, such as from suppliers and sub-suppliers through to customers.

By mapping the flow of data, you’ll be able to review the most effective way of processing data and identify any unforeseen or unintended uses.

A data map should identify the following key elements:

  • Data items (e.g. names, email addresses, records)
  • Formats (e.g. hard copy forms, online data entry, database)
  • Transfer methods (e.g. post, telephone, internal/external)
  • Locations (e.g. offices, Cloud, third parties)

A data map should also help you see who has access to the data at any given time and who is accountable for it.

Getting started with data mapping

If you are unsure where to start with your data mapping exercise, please watch our recent webinar: Conducting a data flow mapping exercise under the GDPR.

IT Governance offers a number of products and services to help you get started with data mapping:

Vigilant Software’s new Data Flow Mapping Tool simplifies the data mapping process and makes it easy for you to create data flow maps that can be reviewed, revised and updated when needed.

The tool also helps you identify the personal data your organisation processes, why it is processed, where it is held and how it is transferred.

Request a demo to see the Data Flow Mapping Tool in action >>

IT Governance also offers a GDPR data flow audit. With this service you will get a thorough audit of the personal data in your organisation and a data flow map that will help you to identify where your data resides. This will enable you to implement measures to reduce your risk of an information security breach. Find out more >>