With the introduction of the General Data Protection Regulation (GDPR) and its compliance requirements for businesses, you’ve probably heard the words “data mapping” brought up.
But what exactly is data mapping? Why is it so critically linked to the GDPR?
In this guide, we’ll walk you through the data mapping definition, its purpose and benefits, and why it matters for GDPR compliance. We’ll also explore the data mapping process step-by-step, as well as some helpful examples and resources so that you can create a data map for your business.
This is a lengthy data mapping guide, so feel free to use the table of contents below to jump around as needed.
Table of Contents
Data mapping is a system of cataloging what data you collect, how it’s used, where it’s stored, and how it travels throughout your organization and beyond. There are various ways to achieve this goal — whether through a simple spreadsheet or a dedicated data mapping program — and the extent or limit of your data mapping will depend on your business.
However, most data maps should include the following information:
A data map often comes in two parts — a spreadsheet detailing the data you collect and a flow chart depicting the movement of that data through internal systems and external transfers.
You especially want input from IT, legal, marketing, and HR. Furthermore, documenting every bit of data should be closely supervised by either your data protection officer (DPO) or a senior member of your privacy team.
While it should be carried out as soon as possible — especially if you’re subject to comply with the GDPR, data mapping is an ongoing activity that you should implement into your regular business practices.
To get a better grasp of the need for data mapping, read up on the differences between data privacy vs. data security vs. data protection.
The purpose of data mapping is to collect all of the information about how your company uses data and present it in a single location.
Data maps provide an easy-to-read structure that displays where your data comes from, who uses it, how it’s stored, and where it gets sent. By generating a data map, you ensure that you have all the information you need to comply with international data privacy laws.
Another purpose of a data map is to find ways to streamline your data processes. With a data map, you can spot redundancies and instances of non-compliance. As a result, you can fix those issues before they become significant legal problems.
Data mapping isn’t just a helpful visualization tool. It also offers numerous benefits that can help you provide better privacy for your customers and improve your compliance with the GDPR.
Some of the most valuable benefits of data mapping include:
While data mapping has many benefits, including GDPR compliance, it’s not without its challenges. For example, when you first start mapping data processes, you will likely run into problems such as the following:
The GDPR applies to information that can be connected to an identified or identifiable natural person, including information such as:
Essentially, any information that could begin to identify someone is covered by the GDPR. Therefore, to properly perform data mapping, you need to determine whether the data is considered personal or not and indicate that in the map itself.
Once you’ve determined whether data is personal, you need to go through your organization’s activities and identify every way you use that information.
Data processing as defined by the EU is the:
“collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.”
You need to name all of these activities in your data map, which can be a significant effort for large organizations.
The GDPR is a relatively new regulation, so precedent and enforcement surrounding the bill are subject to change. As these changes are made, you are responsible for monitoring your current obligations regarding consumer privacy. In addition, when changes occur, you’ll need to account for them in your data mapping process by clarifying how your company is living up to the new requirements.
Data mapping is invaluable for modern organizations. Not only does it help you understand how you use and collect information, but it also helps you remain in compliance with the GDPR. While data mapping has its challenges, it’s worthwhile for its direct utility as well as its ability to focus your attention on privacy risks and security flaws.
While managing the mapping process, it can be easy to lose track of the bigger picture. Following some data mapping best practices will help you stay on top of the process and minimize the number of revisions you need to perform.
Before you begin collecting any information, you should decide how you’re going to map the data. Setting up your tools and resources in advance makes it easier to efficiently map out your data processes.
The solution you choose will vary depending on the amount of data your organization processes and what kind of data you collect.
You can start by using a simple spreadsheet, however, if you’re mapping a large organization or know you collect a wide variety of data. In that case, it might be better to work with a dedicated data mapping tool from the beginning such as DPOrganizer:
The purpose of data mapping is to identify every aspect of your data processes precisely. That means being clear about where your data comes from and what kind of information it is.
Your data map should answer questions such as:
The more specific you can be, the more accurate your overall data map will be.
When you’re performing data mapping, you’ll often interact directly with the private data you’re working to protect. Therefore, you need to keep the mapping process just as secure as any other data processing activity.
After all, your data map explains exactly how you protect consumer data, which potentially gives malicious agents the information they need to subvert your security measures.
Your data mapping tools should be as heavily protected as the most secure information you store. For example, only authorized individuals should be able to access or update the map in any way — this keeps the map safe from prying eyes.
Your business changes and the data it gathers will change, too. Therefore, it’s considered best practice to update your data map at least quarterly, if not monthly or even weekly. The more often you perform updates, the less likely it is that privacy flaws or non-compliant activities slip through the cracks and cause legal problems.
Your map isn’t enough on its own to provide proof of how you manage customer data. In addition to your map, you should also retain records according to Article 30(1) and Article 30(2) of the GDPR explaining how you transfer data within your company and to external vendors.
These records should include:
By keeping these records, you can demonstrate that your maps are accurate and provide additional resources if you’re subject to a GDPR audit.
There is no one-size-fits-all format or process for data mapping. Instead, they can come in all different forms, through various means of execution, and in a wide range of sizes and depths.
What your data map looks like will depend mainly on your data processing activities and your budget.
If your business collects, processes, or shares a lot of data, you may want to invest in a software program dedicated to data mapping. Through data mapping software, you’ll likely be working with a dashboard, through which you can navigate to your data inventory, flow chart, location details, and analytics.
Some programs are more technically advanced and should be overseen by the appropriate personnel. Take, for instance, the following examples:
Some CRM solutions boast data mapping functionality, so you may be able to knock out two birds with one stone by choosing the right CRM for your business.
If you’d prefer to create your data map outside of a dedicated software service, you’ll most likely end up with a doc, spreadsheet, or map (or all three) detailing your data handling.
Below is an example of a data mapping chart in its simplest form:
The above map style can be accomplished as either a document or a spreadsheet and is ideal for companies that don’t collect, process, or transfer large amounts of data. This solution requires all manual input and is not highly detailed.
For more involved data activities, creating an interactive Excel map is a good option. This is a scalable solution that still requires manual input but allows you more avenues for tracking and visualizing data processes.
Below is an example of what an interactive Excel data map might look like:
Try this step-by-step guide to making interactive Excel maps like the one above.
These are just a few of the many examples of what a data map can look like. Yours may be any one of these — or any combination of these.
The critical part of data mapping is that the result contains all the necessary information about your data processing activities.
The GDPR is all about updating existing systems and implementing new ones to ensure the safekeeping and fair treatment of the user data you handle. But to properly assess data security, you must first be able to track a piece of data from the point of collection to its eventual deletion.
Without a bird’s eye view of the entire lifecycle of your data, any security measures you implement will be piecemeal at best.
Not only is data mapping an essential foundation for carrying out the overall aims of the GDPR, but it’s also directly mandated by multiple articles of the regulation. That means you’re legally required to perform data mapping regularly to remain in compliance with the law.
The following are reasons why data mapping will help your business comply with the GDPR.
The most important article regarding GDPR data mapping requirements is GDPR Article 30, titled “Records of processing activities.” This article is most directly responsible for mandating data mapping by organizations.
The regulation states that:
The above obligations shall not apply to an enterprise or an organization employing fewer than 250 persons unless:
Essentially, this article of the regulation is mandating that businesses map their data and make those records available to supervisory bodies upon request.
Under Article 35 of the GDPR, if you process data using new technologies or in a way that potentially puts consumer rights and data at risk, you’re required to perform a data protection impact assessment (DPIA).
“…a process designed to help you systematically analyse, identify and minimise the data protection risks of a project or plan.”
According to IT Governance, carrying out a DPIA requires the following six steps:
Steps 2 and 3 of this DPIA plan are directly related to data mapping. Step 2 is data mapping itself, while Step 3 is an essential component of creating a helpful data map.
If you need to carry out a DPIA, having these critical steps already accomplished from your data mapping efforts will simplify and hasten the process for you or your DPO.
When performing your DPIA, don’t forget to consult your data protection office (DPO).
The fundamental goal of the GDPR is to protect user data by establishing stricter guidelines for the collection and handling of personal information. In Article 5 of the GDPR, the regulation specifies the key principles of data processing, which businesses should follow to meet this end goal.
Among these principles is the idea of Privacy by Design (PbD) — the concept that you should build data protection and privacy measures into every element of your business as an essential building block rather than an afterthought.
According to the text of the GDPR itself, you need to ensure that personal data is:
“processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
Accounting for your data, and scouring your processes for weak points through data mapping, are key steps to implementing PbD and ensuring the safekeeping of user data.
Read our comprehensive guide to Privacy by Design to learn more about PbD and how to execute it best.
Under Article 6 of the GDPR, for the processing of data to be done lawfully, it must be performed on one or more of the following six bases:
When constructing your data map, you should note the purposes for which you collect or process data, along with the legal justification for those activities.
For example, if you collect email addresses from users who sign up to receive newsletters, you can log that category of data along with the note that it’s done based on user consent.
Sifting through your data and determining which basis applies to each of your processing activities will ensure that you aren’t inadvertently collecting or handling data unlawfully. This process can protect you in the event of a privacy inquest and help you achieve the next GDPR compliance task on our list.
Article 12 of the GDPR establishes the requirement that businesses present their users with clear and comprehensive privacy policies, also referred to as privacy notices. These policies should thoroughly detail your interactions with user data, including what you collect, why you collect it, how it’s stored, where it may be transferred, and other details concerning the collection and movement of users’ personal information.
To assemble this document — and make it GDPR compliant — you need to have a firm grasp of what data passes through your business. With a complete data map, it becomes much easier for you to transcribe that information into a user-friendly privacy policy.
If you’re not sure how to make your privacy notice compliant, use our GDPR-ready privacy policy generator. If you’d prefer to create your own, you can start with a privacy policy template to ensure you aren’t overlooking any necessary sections.
The GDPR makes a point to grant internet users new rights over their data. Some of the major new rights come from Articles 15–18 and 20–21 of the GDPR, which establish:
These are all components of the GDPR’s mission to grant users more control over their data. For businesses to comply with this section of the regulation, they must allow users a way to exercise these rights.
The most common means of doing so is by offering users a Data Subject Access Request (DSAR) form — a popup or page that allows users to request to access, edit, transfer, or delete their personal data.
Offering users a DSAR form where they can exercise their user rights is one thing — but your job isn’t done until the requests have been addressed. Moreover, data organization is made all the more essential in the event of DSAR submissions as the GDPR stipulates a one-month time limit in which businesses must respond to these requests.
Without an easily accessible, well-organized record of the data collected and processed for each user, along with the reasoning behind each processing activity, responding to each DSAR can be time-consuming and costly. This is where a data map can help alleviate the burden of having to hunt for all the data collected from a user.
Taking the appropriate action if a DSAR comes your way will be made quick and easy if you’ve already mapped your data and can easily access the required information and accompanying details.
Our all-in-one compliance solution offers you a free DSAR form for your website.
Now that you’ve learned why data mapping is important and the benefits it offers your organization, it’s time to explore how to create a data map.
While every organization’s map will look different, the fundamental process remains the same. Below, you’ll learn how to perform data mapping, some data mapping best practices and examples, and choose the tools to simplify the process.
Data mapping in accordance with the GDPR is an involved process. However, doing it right the first time can help you save significant time and effort in the long run. Below, you’ll discover the step-by-step process of generating a data map and what you should include.
The actual process of data mapping can be confusing. Dividing it into individual steps can help you understand what you need to do. The basic data mapping process can be broken down into six stages, each of which allows you to make your maps more accurate.
You need to learn where you’re working with data to create the basic map. To do this, ask everyone in your organization to explain the data processing they perform.
If your staff doesn’t understand what to provide, you can break this down into two questions:
The first time you perform data mapping, you’ll likely need to spend some time sifting through these answers to find the ones that relate to data.
However, in combination, these questions will give you a complete overview of all the information your staff interacts with in any way.
Once you’ve identified data processing activities, you can collect further information about each of them. This step is the time to learn about things regulated by the GDPR, such as:
Having a solid understanding of database querying can be particularly beneficial during this stage. Learning basic SQL skills can significantly enhance your ability to efficiently query and analyze data points, ultimately streamlining the data mapping process for GDPR compliance.
If you’re gathering this information manually, the best way to organize it is with some kind of spreadsheet. That will help you keep track of each piece of data and make it easier to cross-reference details later.
For example, the following spreadsheet demonstrates how you might organize a simple data map using the UK’s ICO accountability tracker.
Once you’ve gathered all of this information, you can build your map.
The simplest method is to upload the data you’ve collected to a data map creator by way of a spreadsheet. However, there are data map tools that can accept various inputs and organize them for you.
You’ll learn more about choosing the right data mapping tools later in this guide.
If you’re developing a graphical map, you can structure each responsible party as a hub, with data transfers connecting them. The data usage and storage processes can be grouped under each hub. The result should be a clear and easily read visual representation of how your organization uses information.
Once everything is laid out in front of you in an easy-to-read format, you can start looking for gaps, such as:
These gaps are the places you need to address to make your map accurate and your privacy practices compliant with the GDPR. Then, when you spot them, you can do more in-depth investigations to understand what you’re missing and make any improvements necessary.
Your data map is essential for generating legal reports. Specifically, you’ll need the complete data map to create your Article 30 ROPA report. You can also use the map to create asset visualizations, data flow diagrams, and cross-border data transfer maps.
After completing the process, it’s time to return to the beginning. It’s a good idea to update your data maps at least once a quarter to keep them from getting too out of date.
Regularly remapping your data allows you to build off of generally accurate maps and make minor updates instead of having to start from scratch every time. This maintenance ensures that you always have a reasonable understanding of your data processes if you need to produce documentation about them.
While every data map will be different, you should still include basic details about the information you’re collecting. These details include:
Following a data mapping diagram like this one on Github can help you make sure you’ve included all of the appropriate details. In addition, it offers a simple data mapping tutorial that will help you walk through the process.
There are two main kinds of data mapping techniques: manual and automated data mapping. These techniques are suited to different use cases.
Choosing the right one will help you get the most accurate data map possible without overextending your budget or wasting your time.
If you’ve never generated a data map before, manual data mapping might be the right solution. When you perform manual data mapping, you collect all the information about your data processed by hand and enter them one at a time into a spreadsheet.
Once you’ve gathered all the relevant details, you can then use this spreadsheet to create a visual representation of all responsible parties, data transfers, and processing activities involved in your organization.
Manual data mapping can quickly become time-consuming as the amount of data your company processes grows. However, if you only manage a small amount of data and you don’t work with many outside vendors, it’s also a less resource-intensive technique. All you need is a spreadsheet program and a basic graphic designer program, such as Microsoft Excel and the flowcharts offered in Microsoft Word.
The alternative is to use a dedicated data mapping tool that automates the process. Most data mapping programs will scan your company’s systems to look for all sources of data, stored information, and details about that information. They then compile that information into an automatically-generated map that covers all the fine details about how you’re processing data.
All you need to do is look over the program’s results and fine-tune things like the names given to responsible parties and data processes.
Automated data mapping is more resource-intensive but also faster and more accurate for most larger organizations.
You’ll need to make sure the tool is secure, and you’ll likely need to pay to use it. But, in return, you’ll minimize the time you have to spend writing surveys, collating responses, and manually inputting data, leading to a map with less human error.
The tools you use to perform data mapping will affect every part of the process. While you can do data mapping by hand, it’s not practical for most larger organizations.
The solution is to use a data mapping tool to handle the fine details for you.
With data mapping software, the responsibility for connecting the dots falls to the computer. You just need to secure the program, give it appropriate permissions to scan your systems, and then choose how you want your map to be formatted.
Choosing the right data mapping tool can make all the difference in how quickly and accurately you can produce your data maps. When you’re working with the right tool, you can expect benefits such as:
Since data mapping must be done regularly, choosing a good tool will save you significant time and effort. But, of course, not every data mapping tool is equally valuable.
You need to choose high-quality data mapping software, or you could wind up wasting more resources than you save.
But what does a good data mapping GDPR tool look like? When you’re making your choice, you should consider elements like:
When it comes to data mapping, there are both free and paid resources available online.
If you’re undertaking your business’s data map in-house without a dedicated software package, here are some sources where you can find free docs and data mapping in Excel sheets to kick off your efforts:
If you’re willing to shell out some funds for your organization’s GDPR compliance, here are some paid tools for data mapping that can help:
In the past few years, the world has been feeling the effects of the GDPR and the changing privacy standards that have followed. Complying with the massive regulation may seem like an unachievable goal, but addressing the GDPR piece-by-piece will help your business adjust to developing privacy standards and customer demands.
One of the most significant steps you can take to accomplish this is to map your data. Not only is it a critical step toward GDPR compliance, but it’s also a good business practice. Understanding the intersection of data mapping and GDPR compliance and taking advantage of the tools and resources above will ultimately help protect your users’ data — and your business.
Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author
