Complete GDPR Data Mapping Guide

With the introduction of the General Data Protection Regulation (GDPR) and its compliance requirements for businesses, you’ve probably heard the words “data mapping” brought up.

But what exactly is data mapping? Why is it so critically linked to the GDPR?

In this guide, we’ll walk you through the data mapping definition, its purpose and benefits, and why it matters for GDPR compliance. We’ll also explore the data mapping process step-by-step, as well as some helpful examples and resources so that you can create a data map for your business.

This is a lengthy data mapping guide, so feel free to use the table of contents below to jump around as needed.

What Is Data Mapping?

Data mapping is a system of cataloging what data you collect, how it’s used, where it’s stored, and how it travels throughout your organization and beyond. There are various ways to achieve this goal — whether through a simple spreadsheet or a dedicated data mapping program — and the extent or limit of your data mapping will depend on your business.

However, most data maps should include the following information:

• What data you collect
• Whether that data is sensitive or personal
• The legal basis for processing that data — this should reference the six legal bases established by the GDPR, which we will explain below
• Why data is being collected
• Where data is stored
• For how long data is stored
• Under what conditions data is stored — you should answer the question: What protective measures are in place within your organization?
• Where data is transferred
• Where third-party recipients are located — making specific note of international data transfers
• What protocols are in place to protect data during transfers

Data mapping is a combination of your data inventory and your data flow

A data map often comes in two parts — a spreadsheet detailing the data you collect and a flow chart depicting the movement of that data through internal systems and external transfers.

Effective data maps require the input of nearly every department

You especially want input from IT, legal, marketing, and HR. Furthermore, documenting every bit of data should be closely supervised by either your data protection officer (DPO) or a senior member of your privacy team.

Data mapping is not a one-time activity

While it should be carried out as soon as possible — especially if you’re subject to comply with the GDPR, data mapping is an ongoing activity that you should implement into your regular business practices.

What Is the Purpose of Data Mapping?

The purpose of data mapping is to collect all of the information about how your company uses data and present it in a single location.

Data maps provide an easy-to-read structure that displays where your data comes from, who uses it, how it’s stored, and where it gets sent. By generating a data map, you ensure that you have all the information you need to comply with international data privacy laws.

Another purpose of a data map is to find ways to streamline your data processes. With a data map, you can spot redundancies and instances of non-compliance. As a result, you can fix those issues before they become significant legal problems.

Benefits of Data Mapping for Privacy

Data mapping isn’t just a helpful visualization tool. It also offers numerous benefits that can help you provide better privacy for your customers and improve your compliance with the GDPR.

Some of the most valuable benefits of data mapping include:

What Are Some Data Mapping Challenges?

While data mapping has many benefits, including GDPR compliance, it’s not without its challenges. For example, when you first start mapping data processes, you will likely run into problems such as the following:

Determining Whether Data Is Personal

The GDPR applies to information that can be connected to an identified or identifiable natural person, including information such as:

• Names
• Identification numbers
• Online identifies
• Phone numbers
• Addresses
• Credit card numbers
• Appearance
• Location data
• Ethnic, religious, genetic, physiological, social, or commercial identifiers

Essentially, any information that could begin to identify someone is covered by the GDPR. Therefore, to properly perform data mapping, you need to determine whether the data is considered personal or not and indicate that in the map itself.

Identifying All Data Processing Activities

Once you’ve determined whether data is personal, you need to go through your organization’s activities and identify every way you use that information.

Data processing as defined by the EU is the:

“collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.”

Examples include:

• Storing MAC and IP addresses
• Emailing customers about promotions
• Storing customer data for future contact
• Posting photos of a person
• Recording security footage
• Managing payroll

You need to name all of these activities in your data map, which can be a significant effort for large organizations.

Tracking Your Legal and Regulatory Obligations

The GDPR is a relatively new regulation, so precedent and enforcement surrounding the bill are subject to change. As these changes are made, you are responsible for monitoring your current obligations regarding consumer privacy. In addition, when changes occur, you’ll need to account for them in your data mapping process by clarifying how your company is living up to the new requirements.

Data mapping is invaluable for modern organizations. Not only does it help you understand how you use and collect information, but it also helps you remain in compliance with the GDPR. While data mapping has its challenges, it’s worthwhile for its direct utility as well as its ability to focus your attention on privacy risks and security flaws.

Data Mapping Best Practices

While managing the mapping process, it can be easy to lose track of the bigger picture. Following some data mapping best practices will help you stay on top of the process and minimize the number of revisions you need to perform.

Choose Your Tools

Before you begin collecting any information, you should decide how you’re going to map the data. Setting up your tools and resources in advance makes it easier to efficiently map out your data processes.

The solution you choose will vary depending on the amount of data your organization processes and what kind of data you collect.

You can start by using a simple spreadsheet, however, if you’re mapping a large organization or know you collect a wide variety of data. In that case, it might be better to work with a dedicated data mapping tool from the beginning such as DPOrganizer:

Clearly Identify Your Data Sources and Types

The purpose of data mapping is to identify every aspect of your data processes precisely. That means being clear about where your data comes from and what kind of information it is.

Your data map should answer questions such as:

• Did you collect the information directly from the customer or a third party?
• Is the customer aware that you have collected their data?
• What kind of data have you collected? For example, is it a name, IP address, email address, phone number, physical location, or another identifying piece of information?

The more specific you can be, the more accurate your overall data map will be.

Keep the Mapping Process Secure

When you’re performing data mapping, you’ll often interact directly with the private data you’re working to protect. Therefore, you need to keep the mapping process just as secure as any other data processing activity.

After all, your data map explains exactly how you protect consumer data, which potentially gives malicious agents the information they need to subvert your security measures.

Your data mapping tools should be as heavily protected as the most secure information you store. For example, only authorized individuals should be able to access or update the map in any way — this keeps the map safe from prying eyes.

Perform Periodic Updates

Your business changes and the data it gathers will change, too. Therefore, it’s considered best practice to update your data map at least quarterly, if not monthly or even weekly. The more often you perform updates, the less likely it is that privacy flaws or non-compliant activities slip through the cracks and cause legal problems.

Retain Records

Your map isn’t enough on its own to provide proof of how you manage customer data. In addition to your map, you should also retain records according to Article 30(1) and Article 30(2) of the GDPR explaining how you transfer data within your company and to external vendors.

These records should include:

• The specific controller responsible for the transfer, along with their contact details
• Who the data was transferred to
• Why and how it was transferred
• How to get in contact with that party
• Security measures covering the transfer
• A description of the transmitted data
• When the data is expected to be erased

By keeping these records, you can demonstrate that your maps are accurate and provide additional resources if you’re subject to a GDPR audit.

Data Mapping Examples

There is no one-size-fits-all format or process for data mapping. Instead, they can come in all different forms, through various means of execution, and in a wide range of sizes and depths.

What your data map looks like will depend mainly on your data processing activities and your budget.

If your business collects, processes, or shares a lot of data, you may want to invest in a software program dedicated to data mapping. Through data mapping software, you’ll likely be working with a dashboard, through which you can navigate to your data inventory, flow chart, location details, and analytics.

Some programs are more technically advanced and should be overseen by the appropriate personnel. Take, for instance, the following examples:

Altova MapForce

Liquid Technologies

Some CRM solutions boast data mapping functionality, so you may be able to knock out two birds with one stone by choosing the right CRM for your business.

If you’d prefer to create your data map outside of a dedicated software service, you’ll most likely end up with a doc, spreadsheet, or map (or all three) detailing your data handling.

Below is an example of a data mapping chart in its simplest form:

by Anthony Budd

The above map style can be accomplished as either a document or a spreadsheet and is ideal for companies that don’t collect, process, or transfer large amounts of data. This solution requires all manual input and is not highly detailed.

For more involved data activities, creating an interactive Excel map is a good option. This is a scalable solution that still requires manual input but allows you more avenues for tracking and visualizing data processes.

Below is an example of what an interactive Excel data map might look like:

Try this step-by-step guide to making interactive Excel maps like the one above.

These are just a few of the many examples of what a data map can look like. Yours may be any one of these — or any combination of these.

The critical part of data mapping is that the result contains all the necessary information about your data processing activities.

Why Data Mapping Matters for GDPR Compliance

The GDPR is all about updating existing systems and implementing new ones to ensure the safekeeping and fair treatment of the user data you handle. But to properly assess data security, you must first be able to track a piece of data from the point of collection to its eventual deletion.

Without a bird’s eye view of the entire lifecycle of your data, any security measures you implement will be piecemeal at best.

Not only is data mapping an essential foundation for carrying out the overall aims of the GDPR, but it’s also directly mandated by multiple articles of the regulation. That means you’re legally required to perform data mapping regularly to remain in compliance with the law.

The following are reasons why data mapping will help your business comply with the GDPR.

Reason #1: Keep Records of Processing Activities (Article 30)

The most important article regarding GDPR data mapping requirements is GDPR Article 30, titled “Records of processing activities.” This article is most directly responsible for mandating data mapping by organizations.

The regulation states that:

• Each controller and, where applicable, the controller’s representative shall maintain a record of processing activities under its responsibility.
• Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller.
• The records…shall be in writing, including in electronic form.
• The controller or the processor…shall make the record available to the supervisory authority on request.

The above obligations shall not apply to an enterprise or an organization employing fewer than 250 persons unless:

• The processing it carries out is likely to result in a risk to the rights and freedoms of data subjects
• The processing is not occasional
• The processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offenses referred to in Article 10

Essentially, this article of the regulation is mandating that businesses map their data and make those records available to supervisory bodies upon request.

Reason #2: Perform DPIAs (Article 35)

Under Article 35 of the GDPR, if you process data using new technologies or in a way that potentially puts consumer rights and data at risk, you’re required to perform a data protection impact assessment (DPIA).

A DPIA, as defined by the U.K.’s Information Commissioner’s Office (ICO), is:

“…a process designed to help you systematically analyse, identify and minimise the data protection risks of a project or plan.”

According to IT Governance, carrying out a DPIA requires the following six steps:

1. Identify the need for the DPIA
2. Describe the information flow
3. Identify privacy and related risks
4. Identify and evaluate privacy solutions
5. Sign off and record the DPIA outcomes
6. Integrate the DPIA outcomes into the project plan

Steps 2 and 3 of this DPIA plan are directly related to data mapping. Step 2 is data mapping itself, while Step 3 is an essential component of creating a helpful data map.

If you need to carry out a DPIA, having these critical steps already accomplished from your data mapping efforts will simplify and hasten the process for you or your DPO.

Reason #3: Demonstrate Privacy by Design (Article 5)

The fundamental goal of the GDPR is to protect user data by establishing stricter guidelines for the collection and handling of personal information. In Article 5 of the GDPR, the regulation specifies the key principles of data processing, which businesses should follow to meet this end goal.

Among these principles is the idea of Privacy by Design (PbD) — the concept that you should build data protection and privacy measures into every element of your business as an essential building block rather than an afterthought.

According to the text of the GDPR itself, you need to ensure that personal data is:

“processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”

Accounting for your data, and scouring your processes for weak points through data mapping, are key steps to implementing PbD and ensuring the safekeeping of user data.

Reason #4: Establish Lawful Basis of Processing (Article 6)

Under Article 6 of the GDPR, for the processing of data to be done lawfully, it must be performed on one or more of the following six bases:

1. With GDPR consent of the data subject
2. For GDPR legitimate interests
3. For the performance of a contract
4. To comply with a legal obligation
5. To protect the vital interests of the data subject
6. For the public interest

When constructing your data map, you should note the purposes for which you collect or process data, along with the legal justification for those activities.

For example, if you collect email addresses from users who sign up to receive newsletters, you can log that category of data along with the note that it’s done based on user consent.

Sifting through your data and determining which basis applies to each of your processing activities will ensure that you aren’t inadvertently collecting or handling data unlawfully. This process can protect you in the event of a privacy inquest and help you achieve the next GDPR compliance task on our list.

Reason #5: Detail Data Practices (Article 12)

Article 12 of the GDPR establishes the requirement that businesses present their users with clear and comprehensive privacy policies, also referred to as privacy notices. These policies should thoroughly detail your interactions with user data, including what you collect, why you collect it, how it’s stored, where it may be transferred, and other details concerning the collection and movement of users’ personal information.

To assemble this document — and make it GDPR compliant — you need to have a firm grasp of what data passes through your business. With a complete data map, it becomes much easier for you to transcribe that information into a user-friendly privacy policy.

If you’re not sure how to make your privacy notice compliant, use our GDPR-ready privacy policy generator. If you’d prefer to create your own, you can start with a privacy policy template to ensure you aren’t overlooking any necessary sections.

Reason #6: Manage Data Subject Access Requests (Articles 15-18, 20-21)

The GDPR makes a point to grant internet users new rights over their data. Some of the major new rights come from Articles 15–18 and 20–21 of the GDPR, which establish:

These are all components of the GDPR’s mission to grant users more control over their data. For businesses to comply with this section of the regulation, they must allow users a way to exercise these rights.

The most common means of doing so is by offering users a Data Subject Access Request (DSAR) form — a popup or page that allows users to request to access, edit, transfer, or delete their personal data.

Offering users a DSAR form where they can exercise their user rights is one thing — but your job isn’t done until the requests have been addressed. Moreover, data organization is made all the more essential in the event of DSAR submissions as the GDPR stipulates a one-month time limit in which businesses must respond to these requests.

Without an easily accessible, well-organized record of the data collected and processed for each user, along with the reasoning behind each processing activity, responding to each DSAR can be time-consuming and costly. This is where a data map can help alleviate the burden of having to hunt for all the data collected from a user.

Taking the appropriate action if a DSAR comes your way will be made quick and easy if you’ve already mapped your data and can easily access the required information and accompanying details.

Now that you’ve learned why data mapping is important and the benefits it offers your organization, it’s time to explore how to create a data map.

While every organization’s map will look different, the fundamental process remains the same. Below, you’ll learn how to perform data mapping, some data mapping best practices and examples, and choose the tools to simplify the process.

How To: Data Mapping Tutorial for GDPR

Data mapping in accordance with the GDPR is an involved process. However, doing it right the first time can help you save significant time and effort in the long run. Below, you’ll discover the step-by-step process of generating a data map and what you should include.

GDPR Data Mapping Process Step-by-Step

The actual process of data mapping can be confusing. Dividing it into individual steps can help you understand what you need to do. The basic data mapping process can be broken down into six stages, each of which allows you to make your maps more accurate.

1. Collect Data Processing Locations

You need to learn where you’re working with data to create the basic map. To do this, ask everyone in your organization to explain the data processing they perform.

If your staff doesn’t understand what to provide, you can break this down into two questions:

• What are your daily, monthly, and yearly tasks?
• What metrics and KPIs do you track or interact with?

The first time you perform data mapping, you’ll likely need to spend some time sifting through these answers to find the ones that relate to data.

However, in combination, these questions will give you a complete overview of all the information your staff interacts with in any way.

2. Gather Specific Details

Once you’ve identified data processing activities, you can collect further information about each of them. This step is the time to learn about things regulated by the GDPR, such as:

• Data collection: This includes the purpose, source, legal basis, location, and consent for the collected data.
• Data use: Why and how the information is being used.
• Data storage: The security measures, conditions, format, and length of time the data is kept.
• Data transfer: The locations and parties to which data is transferred, the purpose for the transfer, and the security measures around the transfer.

If you’re gathering this information manually, the best way to organize it is with some kind of spreadsheet. That will help you keep track of each piece of data and make it easier to cross-reference details later.

For example, the following spreadsheet demonstrates how you might organize a simple data map using the UK’s ICO accountability tracker.

3. Connect Data Processes and Responsible Parties

Once you’ve gathered all of this information, you can build your map.

The simplest method is to upload the data you’ve collected to a data map creator by way of a spreadsheet. However, there are data map tools that can accept various inputs and organize them for you.

You’ll learn more about choosing the right data mapping tools later in this guide.

If you’re developing a graphical map, you can structure each responsible party as a hub, with data transfers connecting them. The data usage and storage processes can be grouped under each hub. The result should be a clear and easily read visual representation of how your organization uses information.

4. Look for Gaps

Once everything is laid out in front of you in an easy-to-read format, you can start looking for gaps, such as:

• Places where you don’t have all the information you need to determine if you’re in compliance
• Data processes that are not compliant
• Missing transfers
• Missing responsible parties
• Vague, inaccurate, or conflicting processes

These gaps are the places you need to address to make your map accurate and your privacy practices compliant with the GDPR. Then, when you spot them, you can do more in-depth investigations to understand what you’re missing and make any improvements necessary.

5. Generate Reports

Your data map is essential for generating legal reports. Specifically, you’ll need the complete data map to create your Article 30 ROPA report. You can also use the map to create asset visualizations, data flow diagrams, and cross-border data transfer maps.

6. Repeat and Maintain

After completing the process, it’s time to return to the beginning. It’s a good idea to update your data maps at least once a quarter to keep them from getting too out of date.

Regularly remapping your data allows you to build off of generally accurate maps and make minor updates instead of having to start from scratch every time. This maintenance ensures that you always have a reasonable understanding of your data processes if you need to produce documentation about them.

What Is Contained in a Data Map?

While every data map will be different, you should still include basic details about the information you’re collecting. These details include:

Following a data mapping diagram like this one on Github can help you make sure you’ve included all of the appropriate details. In addition, it offers a simple data mapping tutorial that will help you walk through the process.

Data Mapping Techniques

There are two main kinds of data mapping techniques: manual and automated data mapping. These techniques are suited to different use cases.

Choosing the right one will help you get the most accurate data map possible without overextending your budget or wasting your time.

Manual Data Mapping

If you’ve never generated a data map before, manual data mapping might be the right solution. When you perform manual data mapping, you collect all the information about your data processed by hand and enter them one at a time into a spreadsheet.

Once you’ve gathered all the relevant details, you can then use this spreadsheet to create a visual representation of all responsible parties, data transfers, and processing activities involved in your organization.

Manual data mapping can quickly become time-consuming as the amount of data your company processes grows. However, if you only manage a small amount of data and you don’t work with many outside vendors, it’s also a less resource-intensive technique. All you need is a spreadsheet program and a basic graphic designer program, such as Microsoft Excel and the flowcharts offered in Microsoft Word.

Automated Data Mapping

The alternative is to use a dedicated data mapping tool that automates the process. Most data mapping programs will scan your company’s systems to look for all sources of data, stored information, and details about that information. They then compile that information into an automatically-generated map that covers all the fine details about how you’re processing data.

All you need to do is look over the program’s results and fine-tune things like the names given to responsible parties and data processes.

Automated data mapping is more resource-intensive but also faster and more accurate for most larger organizations.

You’ll need to make sure the tool is secure, and you’ll likely need to pay to use it. But, in return, you’ll minimize the time you have to spend writing surveys, collating responses, and manually inputting data, leading to a map with less human error.

Using a Data Mapping Tool

The tools you use to perform data mapping will affect every part of the process. While you can do data mapping by hand, it’s not practical for most larger organizations.

The solution is to use a data mapping tool to handle the fine details for you.

With data mapping software, the responsibility for connecting the dots falls to the computer. You just need to secure the program, give it appropriate permissions to scan your systems, and then choose how you want your map to be formatted.

How the Right Data Mapping Tool Can Help

Choosing the right data mapping tool can make all the difference in how quickly and accurately you can produce your data maps. When you’re working with the right tool, you can expect benefits such as:

• Streamlined data analysis: You need to track data from dozens or even hundreds of different sources in your data map. This data will appear in many different formats that need to be reconciled into a single map. A good data mapping tool will handle the transformation of that data and streamline the analysis process by ensuring everything is accurately compiled into a single source.
• Better transparency: The purpose of a data map is to clarify how you’re collecting, using, storing, and sending information. An excellent data mapping tool will help make every step of that process more transparent. Your analysts should be able to use the tool to check every step of the process and confirm details of what the overall data map is reporting. That transparency can help you spot errors, glitches, and potential risks where a more opaque tool can’t.
• Ease of updates: Data mapping needs to be performed regularly. A good tool will make it easy to perform regular updates to your maps and track the changes made across every update to learn how your organization is improving. They should also help you prevent data loss by saving old maps and allowing you to revert to previous versions in case of file corruption or errors.

What To Look for in a Good Data Mapping Tool

Since data mapping must be done regularly, choosing a good tool will save you significant time and effort. But, of course, not every data mapping tool is equally valuable.

You need to choose high-quality data mapping software, or you could wind up wasting more resources than you save.

But what does a good data mapping GDPR tool look like? When you’re making your choice, you should consider elements like:

• Ease of use: Any tool you need to use regularly should be intuitive and easy to use. The best data mapping tools make it easy to input data, read the result, and customize your experience. That allows you to handle the regular demands of data mapping in less time, every time.
• Flexibility: Great tools should also be flexible. You’ll likely need the program to work with a wide range of file formats when you’re uploading information. The right data mapping program for you should be flexible enough to handle the formats you use most often, whether those are XML, JSON, Excel, SQL, SAP, SAS, or Microsoft CRM files.
• Automation: The best data mapping tools help you avoid wasting time entirely. These programs offer automation capabilities to run new data map reports for you. You can find programs that will automatically run new reports on certain days or after specific events. These programs make data mapping almost entirely hands-off, streamlining the process from days or weeks to mere hours.

Data Mapping Resources

When it comes to data mapping, there are both free and paid resources available online.

If you’re undertaking your business’s data map in-house without a dedicated software package, here are some sources where you can find free docs and data mapping in Excel sheets to kick off your efforts:

• Isle of Man Information Commissioner: Here, you’ll find some helpful guides on data mapping, along with printable data mapping document template sheets that you can fill in with your business’s corresponding information.
• U.K. Information Commissioner’s Office (ICO): The ICO offers a detailed guide, including checklists and downloadable documentation templates for both data processors and data controllers.
• IAPP Data Mapping Tool: While this resource is technically free, you need to be an IAPP member to access it. You can access a free demo of the tool to see whether IAPP membership is worth the use of the tool.
• IT Governance Data Mapping Green Paper: Here, you can find a free green paper about data mapping or access one of their paid data mapping tools.
• Astera Data Mapping eBook: In exchange for your contact details, you can download a free ebook about the ins and outs of data mapping from Astera.
• Pinterest: It may not be the first place you think to look, but Pinterest hosts a variety of free data flow templates, checklists, spreadsheets, and infographics.

If you’re willing to shell out some funds for your organization’s GDPR compliance, here are some paid tools for data mapping that can help:

• IT Governance Data Flow Audit
• Vigilant Software’s Data Flow Mapping Tool
• Astera Data Mapping

Perform Better Data Mapping

In the past few years, the world has been feeling the effects of the GDPR and the changing privacy standards that have followed. Complying with the massive regulation may seem like an unachievable goal, but addressing the GDPR piece-by-piece will help your business adjust to developing privacy standards and customer demands.

One of the most significant steps you can take to accomplish this is to map your data. Not only is it a critical step toward GDPR compliance, but it’s also a good business practice. Understanding the intersection of data mapping and GDPR compliance and taking advantage of the tools and resources above will ultimately help protect your users’ data — and your business.

More about the author

Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author