GDPR Data Mapping Essentials: Guide Your Privacy Compliance Journey

• Data mapping is not a GDPR requirement. However, many GDPR compliance tasks—creating records of processing activity (ROPA), identifying risky data processing, and fulfilling privacy requests—depend on or are supported by having a complete data map.

• When creating a data map for GDPR compliance, you’ll want to identify and document the 5Ws plus 1H: who, what, where, why, when, and how.

• Manual GDPR data mapping is possible, but can be extremely time consuming and generally isn’t recommended. Automated data mapping tools provide better data visibility with the added benefit of automatic updates and reduced compliance risk.

• Data mapping for GDPR

  • Article 30: Records of processing activities

  • Article 35: Data protection impact assessments

  • Article 33: Breach management

  • Fulfilling data subject access requests

• What to include in your GDPR data map

• How to manually create a data map for GDPR compliance

• Benefits of automated GDPR data mapping

When considering a company’s privacy program, the relationship between data mapping and the EU’s General Data Protection Regulation (GDPR) can be confusing. Common questions we hear include:

• What is data mapping for the GDPR?

• Is this something we need to be doing?

• Where do we start?

The truth is that data mapping is not required by the GDPR—but that doesn’t mean you’re off the hook.

In 2020, mid-size companies were using an average of 288 different software-as-a-service (SaaS) apps, according to a 2020 SaaS Trends report.

Between 2016 and 2021, the amount of data organizations manage grew from 1.45 petabytes to 14.6 petabytes—a 10x increase.

The sheer quantity of data combined with velocity at which businesses implement new systems is simply staggering. And, ultimately, complying with many GDPR requirements means having a level of knowledge and organization that’s simply not possible without a unified data inventory.

The GDPR may not require companies to complete a full data mapping document, but it does require:

• Records of processing activities (ROPA)

• Data subject request fulfillment

• Identification and analysis of risky data processing activities

• Agentive data breach management, and

• Respectful user consent management

Data mapping supports and/or enables all of the items on this list. The next section takes a deeper dive on the specific GDPR articles that require or are supported by some level of data mapping.

Learn more about the basics of data mapping here.

GDPR Article 30 requires that companies create and maintain records of processing activities (ROPA). ROPA must document:

• Data and data categories being processed

• Categories of data subjects i.e. people whose data is being processed

• Purposes of processing (why the data is being processed)

• Name and contact details for the data controller

• Categories of data recipients

• Personal data transfers to third countries or international entities

• Envisaged timeframe for data erasure

• Data security measures

The final ROPA must be made available digitally and in writing, in a format that’s easy to read and transmit.

Check out our full guide to GDPR Article 30 requirements.

Article 35 requires that any “high risk” data processing undergo a complete data protection impact assessment (DPIA), stating:

“Where a type of processing […] is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.”

DPIAs help ensure a consumer’s data is safe throughout processing and shows privacy regulators that your company is taking the necessary steps.

Balancing risks and benefits is a key part of completing a DPIA. They are not meant to completely eliminate processing risk, but rather should act as a decision-making framework for how and why your company processes data.

So how is data mapping related to the GDPR DPIA requirement? Completing a DPIA means an organization must be able to understand:

• What data and data types they’re collecting

• How and when it’s being used

• Where it’s stored, and

• How it flows through different systems

Remember, DPIAs are meant for high-risk data processing activities and without a clear view of your data, it’s essentially impossible to identify risky processes.

Additional resources

• What is a DPIA?

• When do we need to do a DPIA?

Data mapping is also foundational to Article 33 compliance, which requires that companies notify authorities and consumers, within 72 hours, about personal data breaches that may threaten a consumer’s rights and freedoms.

The 72 hour timeline is what should stand out here. Though data mapping is not explicitly required by this article, it’s crucial for:

• Understanding what data and which data subjects were impacted

• Whether the breach could impact a consumer’s rights or freedoms

• Gathering the necessary information within the reporting deadline

As we’ve mentioned throughout, data mapping helps companies understand, analyze, and organize an immense data trove that can span hundreds of systems. Attempting to re-create this level of understanding under a 72 hour deadline, while also addressing the vulnerability itself, is not an ideal scenario.

Under the GDPR (and most modern privacy laws), consumers have the right to request access to their data. This means, after receiving a request, a company must identify and collate all personal data they hold on that individual and then send them their data in a format that’s easy to read and understand.

Like many of the compliance activities discussed here, data mapping isn’t specifically required under the GDPR right to access. However, it can support the process.

If your company has no idea when it collects personal data and where that data is being stored, collating and packaging that data becomes a herculean task. The GDPR gives organizations 30 days to fulfill a DSAR, so having a process in place that supports DSAR fulfillment is key to remaining compliant.

Creating a data map for GDPR compliance can be a complex process, especially if you’re not using an automated data mapping tool. However, there are a few key questions that can guide your efforts.

Identifying where you collect data/understanding your data sources builds the foundation for the rest of your data map. Remember the stat about an average of 288 SaaS tools? Many of those likely represent sources of personal data that should be included in your data map.

Outside of that, you should also look at how your company uses cookies, pixels, or other tracking technology—these tools collect troves of data about what a person does while they browse the internet.

Once you understand where personal data is coming from, you need to know what exactly you’re collecting.

When talking about GDPR data collection, you may have seen the acronym PII, which stands for personally identifiable information. This is actually an older, narrower term that’s not as relevant to modern privacy laws.

The GDPR focuses on “personal data,” which includes PII but extends to a wider array of data elements. The GDPR defines personal data as:

“…any information relating to an identified or identifiable natural person…”

An identifiable natural person is someone who can be identified, directly or indirectly, by their:

• Name

• ID number

• Location data

• A screen name, handle, or other online identifier

• Facts related to the “physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

So though many people look to create a comprehensive list of PII data when building their data map, they should be working to identify the broader pool of all personal data.

Understanding where your data goes has two end-goals—creating a map of data flow and identifying whether your data is being transferred out of the EU.

Creating a data flow map is the next logical step after identifying the ‘where’ and ‘what’ of your company’s data collection processes. A data flow map acts as a visual representation of the entire data ecosystem, providing clarity on:

• How the systems work together

• The role of any data processing partners, and

• Potential risks or vulnerabilities

Data flow mapping can be used across a wide variety of scenarios, but in the context of the GDPR it can be particularly useful for identifying cross-border data transfers.

The GDPR does not have specific data location requirements. It does however regulate data transfer between the EU and other countries (Article 44)—essentially requiring that data transferred out of the EU receive the same protections it had while still in the EU.

Between 2020-2022, issues around trans-Atlantic data transfer made frequent appearances in the news. Multiple companies were penalized for using Google Analytics on the grounds that it represented an unprotected trans-Atlantic data transfer.

Privacy Shield, the original agreement meant to regulate trans-Atlantic data transfers was also struck down, on the grounds that it did not properly protect data after it left the EU. Critics claimed the agreement left the door open for law enforcement agencies in the US and elsewhere to obtain the data using national security as the justification.

Determining how your company uses personal data is critical to GDPR data mapping, as it informs next steps after the map is complete. For example, if you’re using data for “high risk” activities or systematic profiling, you’ll need to complete a DPIA.

More broadly, this exercise will help your company comply with purpose limitation—one of the GDPR’s core principles.

Personal data shall be […] collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;

In practice, this means:

• You must be clear about why you’re processing data before beginning

• Purpose of processing must be documented and included in a publicly available privacy policy

• To change the purpose of processing, you must have legal justification or consent and your new purpose can’t conflict with the original

For reference, GDPR Article 6 outlines six foundations of lawful processing, which include consent, contract fulfillment, protecting vital interests, and more.

Defining company-wide data retention policies (how long you keep data before deleting it) is crucial for complying with several GDPR requirements including creating records of processing activities (ROPA), storage limitation, and data minimization.

If you can’t yet define a specific data retention timeline, you should at least define criteria that will help you determine that period as the need arises.

GDPR data mapping is a complex process, one you’re unlikely to complete working alone. Do your research and then create a brief to socialize throughout the organization. This document should outline what data mapping entails and why it’s important for GDPR compliance.

Remember, it’s necessary for complying with Article 30 and plays an important role in identifying what activities require a DPIA (Article 35), effective breach management (Article 33), and DSAR fulfillment.

Schedule a meeting with key leaders and managers to set expectations, outline the process, and preemptively field any questions or concerns. This will not only help ensure buy-in, but will get crucial gears turning before the next step.

After the initial meetings, send out assessments for each team to fill-out. These assessments should solicit specific details on each data system and relevant processing activities, including lawful basis, purpose, need for consent, timelines for data retention, and more.

Once you’ve received all completed assessments, combine your findings in a document that is available digitally and in writing.

GDPR data mapping is not a one and done activity. To be compliant, your company’s data map must be current—including all relevant tools, databases, and systems—so it’s very important that you implement a process that ensures continual updates.

For many companies, this process is simply repeating steps three and four on a regularly scheduled basis: sending quarterly surveys or assessments and then manually integrating updates into the existing data map. Due to the complexity and time required, automated data mapping is often a better choice.

Beyond a certain data quantity, manual data mapping is extremely time consuming and can be prone to error.

Automating some or all of your GDPR data mapping process is recommended in most cases. It will improve your company’s overall GDPR compliance stance and allow your team to focus on their core responsibilities.

For the majority of companies, creating a complete data map can take over a year. This means that, by the time you’ve completed your initial map, the systems you added and updated at the beginning of the year are likely already out of date.

The right automated data mapping tool will scan your website and various data systems to identify sources of data processing, organize everything into a live map, and then run continual automatic updates.

Not only does this remove the burden from an individual or team, but it ensures greater accuracy in a much shorter timeframe.

Automated data mapping creates a central hub that tracks:

• New systems, including the data and data categories they contain

• Complete status and data owners for every record

• Revisions in data flow stemming from database changes

Automating these tasks saves hours, if not hundreds of hours, that your team can use on other compliance activities.

Risk comes in many forms, especially for larger companies with more data complexity.

Each person involved in a data mapping task represents a vulnerability. At its core, the GDPR deals in the protection of sensitive and personal data—so opening all your company’s data to an increasingly large group of people isn’t ideal.

Not only do automated data mapping platforms limit the number of individuals involved in your data mapping process, but they provide better security overall: secure gateways (that eliminate the need for API key access), end-to-end encryption, and granular access configurations.

Automated data processing platforms can be configured to flag sensitive data—making it easier to identify and address risky or illegal data processing activities.

Sometimes non-compliant processing simply stems from lack of oversight, but that won’t stop regulators from applying a hefty fine. Automation helps ensure that all your processing activities follow the necessary guidelines.

In a similar vein, but with a wider view, automated data mapping provides broad support for your privacy compliance program.

Advantageously positioned with a full view of your company’s data, automated tools can help support efficient DSAR fulfillment (with minimal manual intervention), as well as provide critical information about the scope and effects of any potential data breach.

Transcend can help your organization automate data mapping for privacy law compliance. Use Transcend Data Mapping to discover your company’s data silos, classify personal data, and auto-generate reports – all in an easy-to-use, collaborative platform.

Power your company’s regulatory compliance with actionable data governance suggestions based on your real-time data map. Transcend is the first and only data mapping tool that ensures the systems discovered in your data map are seamlessly included in user deletion, access or modification privacy request workflows.