GDPR Data Mapping The Definitive Guide

Benefits of data mapping

Creating ROPA or GDPR Article 30 report:

  1. Controller’s name and contact details, along with joint controller if applicable
  2. Purpose(s) of processing
  3. Description of categories of data subjects and categories of personal data
  4. Categories of third parties with whom data has been or will be disclosed, including recipients in third countries or international organizations
  5. If a controller is transferring personal data to a third country or an international organization, such country/organizations should be identified, and safeguards should be documented.
  6. Expected time limits for erasure of the different categories of data
  7. Description of technical and organizational security measures (Article 32(1))
  1. Understand how the data is flowing from one place to another;
  2. Describe the data flow and consider practical implications and future usage; and
  3. Identify the key elements such as data items, formats, location, access, ownership, purpose, and accountability.

Identifying vendors affected by Schrems II Judgement

  1. Identify the types of personal data that is being transferred to
  2. Identify the types of persona data that is being accessed from
  3. List down the countries and the extent of data transfer
  4. Find out the export mechanism being relied on previously (Privacy Shield, SCCs, or binding corporate rules)
  5. For each type of personal data, note its quantity and sensitivity

Managing DSAR and other individual rights;

How to do data mapping?

  • What is GDPR?
  • Cost of non-compliance: Highlight that it can be up to 10 Million Euros, showing a trend of fines over the years is a plus and can really drive alignment. Enforcement Tracker has some great graphics that you can use.
  • Give an example of a recent fine and how data mapping could have prevented it.
  • Benefits: Refer to the benefits section to create a compelling slide
  • Resource Planning & Timelines: It’s important to highlight if you will need project managers to help you, also highlight what help you need from other team members who will be responding to your questions. Finally, touch on how long the project will run.
  • Budget for privacy consultants
  1. Kick-Off Meetings: Congratulations on getting the management buy-in, we still need to ensure our respondents who are indifferent business functions understand the scope of the project. Kick-off meetings can be used to explain the role of each business function, answer their doubts, reinforce why this project is important to the organization.
  2. Workshop: A great way to end these kick-off meetings are workshops. Here the idea is for you to simulate the questions and walkthrough with two-three members so that everyone gets expected answers, ask doubts. We have observed a lot of people who ask questions in these workshops, and it leads to a successful data mapping exercise.
  3. Define Processing Activity: The biggest challenge in getting information for data mapping is an empty state, that leads to inertia for people to give answers. This is why we recommend breaking the questions in two phases, the first step should be to define key business processes:
  4. Getting more information: Once you have basic information, you can send a detailed assessment for each of these processes where you can ask questions around Purpose, Legal Basis, Consent, Rights, amongst others.
  5. Data Flow Mapping: The final step to complete is to map your internal assets, vendors, third parties to each process. IT, Engineering teams have this information, leverage the asset register that IT might already have and start from there. Ensure location, Technical & Organizational measures are associated with finishing the data map.
  6. Finding Gaps: After the initial information collection, you will sit on a heap of data. It’s important to find the gaps that exist currently. Some of the common ones are:
  • Lack of compatibility between Excel and Visio: If you update your processing activities, you will also need to update your data flow diagram(s).
  • Lack of automation: Generating reports, finding gaps will take a lot of time
  • Management Dashboard: Presenting the benefits of data mapping to the management will require you to create a lot of visual reports manually
  • Purpose: They are general purpose applications, while is specifically built to partner with your organization in achieving hassle-free GDPR compliance.
  • Transfers: Do we have an appropriate mechanism for cross-border transfers?
  • Consent: Is our consent as per GDPR standard?
  • Privacy Notice: Have we included all purposes and legal basis of processing in our privacy notice?
  • Employee notice: Are we giving privacy notices to employees. This is generally overlooked and can be a major area of non-compliance
  • Technical & Organizational Measures: You should prioritize security budget towards high-risk processes where sensitive data is being used, or processing itself has risks.
  • DPIAs: Identify processes where a DPIA is needed
  • ROPA or Article 30 report
  • Asset Maps: Visualize how your assets are placed globally
  • Cross-Border Transfers: Visualize data transfers between geographies
  • Data Flow Diagram



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jasdeep Cheema

Jasdeep Cheema

Entrepreneur and Data privacy Evangelist.