GDPR Data Mapping Essentials: Guide Your Privacy Compliance Journey
At a glance
Data mapping is not a GDPR requirement. However, many GDPR compliance tasksâcreating records of processing activity (ROPA), identifying risky data processing, and fulfilling privacy requestsâdepend on or are supported by having a complete data map.
When creating a data map for GDPR compliance, youâll want to identify and document the 5Ws plus 1H: who, what, where, why, when, and how.
Manual GDPR data mapping is possible, but can be extremely time consuming and generally isnât recommended. Automated data mapping tools provide better data visibility with the added benefit of automatic updates and reduced compliance risk.
Table of contents
Data mapping for GDPR
When considering a companyâs privacy program, the relationship between data mapping and the EUâs General Data Protection Regulation (GDPR) can be confusing. Common questions we hear include:
What is data mapping for the GDPR?
Is this something we need to be doing?
Where do we start?
The truth is that data mapping is not required by the GDPRâbut that doesnât mean youâre off the hook.
In 2020, mid-size companies were using an average of 288 different software-as-a-service (SaaS) apps, according to a 2020 SaaS Trends report.
Between 2016 and 2021, the amount of data organizations manage grew from 1.45 petabytes to 14.6 petabytesâa 10x increase.
The sheer quantity of data combined with velocity at which businesses implement new systems is simply staggering. And, ultimately, complying with many GDPR requirements means having a level of knowledge and organization thatâs simply not possible without a unified data inventory.
The GDPR may not require companies to complete a full data mapping document, but it does require:
Data subject request fulfillment
Identification and analysis of risky data processing activities
Agentive data breach management, and
Respectful user consent management
Data mapping supports and/or enables all of the items on this list. The next section takes a deeper dive on the specific GDPR articles that require or are supported by some level of data mapping.
Learn more about the basics of data mapping here.
GDPR Article 30: Records of processing activities
GDPR Article 30 requires that companies create and maintain records of processing activities (ROPA). ROPA must document:
Data and data categories being processed
Categories of data subjects i.e. people whose data is being processed
Purposes of processing (why the data is being processed)
Name and contact details for the data controller
Categories of data recipients
Personal data transfers to third countries or international entities
Envisaged timeframe for data erasure
Data security measures
The final ROPA must be made available digitally and in writing, in a format thatâs easy to read and transmit.
Check out our full guide to GDPR Article 30 requirements.
GDPR Article 35: Data protection impact assessments
Article 35Â requires that any âhigh riskâ data processing undergo a complete data protection impact assessment (DPIA), stating:
âWhere a type of processing [âŠ] is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.â
DPIAs help ensure a consumerâs data is safe throughout processing and shows privacy regulators that your company is taking the necessary steps.
Balancing risks and benefits is a key part of completing a DPIA. They are not meant to completely eliminate processing risk, but rather should act as a decision-making framework for how and why your company processes data.
So how is data mapping related to the GDPR DPIA requirement? Completing a DPIA means an organization must be able to understand:
What data and data types theyâre collecting
How and when itâs being used
Where itâs stored, and
How it flows through different systems
Remember, DPIAs are meant for high-risk data processing activities and without a clear view of your data, itâs essentially impossible to identify risky processes.
Additional resources
GDPR Article 33: Breach management
Data mapping is also foundational to Article 33 compliance, which requires that companies notify authorities and consumers, within 72 hours, about personal data breaches that may threaten a consumerâs rights and freedoms.
The 72 hour timeline is what should stand out here. Though data mapping is not explicitly required by this article, itâs crucial for:
Understanding what data and which data subjects were impacted
Whether the breach could impact a consumerâs rights or freedoms
Gathering the necessary information within the reporting deadline
As weâve mentioned throughout, data mapping helps companies understand, analyze, and organize an immense data trove that can span hundreds of systems. Attempting to re-create this level of understanding under a 72 hour deadline, while also addressing the vulnerability itself, is not an ideal scenario.
Fulfilling data subject access requests
Under the GDPR (and most modern privacy laws), consumers have the right to request access to their data. This means, after receiving a request, a company must identify and collate all personal data they hold on that individual and then send them their data in a format thatâs easy to read and understand.
Like many of the compliance activities discussed here, data mapping isnât specifically required under the GDPR right to access. However, it can support the process.
If your company has no idea when it collects personal data and where that data is being stored, collating and packaging that data becomes a herculean task. The GDPR gives organizations 30 days to fulfill a DSAR, so having a process in place that supports DSAR fulfillment is key to remaining compliant.
What to include in your GDPR data map
Creating a data map for GDPR compliance can be a complex process, especially if youâre not using an automated data mapping tool. However, there are a few key questions that can guide your efforts.
1) Where is data collected?
Identifying where you collect data/understanding your data sources builds the foundation for the rest of your data map. Remember the stat about an average of 288 SaaS tools? Many of those likely represent sources of personal data that should be included in your data map.
Outside of that, you should also look at how your company uses cookies, pixels, or other tracking technologyâthese tools collect troves of data about what a person does while they browse the internet.
2) What data is collected?
Once you understand where personal data is coming from, you need to know what exactly youâre collecting.
When talking about GDPR data collection, you may have seen the acronym PII, which stands for personally identifiable information. This is actually an older, narrower term thatâs not as relevant to modern privacy laws.
The GDPR focuses on âpersonal data,â which includes PII but extends to a wider array of data elements. The GDPR defines personal data as:
ââŠany information relating to an identified or identifiable natural personâŠâ
An identifiable natural person is someone who can be identified, directly or indirectly, by their:
Name
ID number
Location data
A screen name, handle, or other online identifier
Facts related to the âphysical, physiological, genetic, mental, economic, cultural or social identity of that natural person.â
So though many people look to create a comprehensive list of PII data when building their data map, they should be working to identify the broader pool of all personal data.
3) Where does the data go?
Understanding where your data goes has two end-goalsâcreating a map of data flow and identifying whether your data is being transferred out of the EU.
Creating a data flow map is the next logical step after identifying the âwhereâ and âwhatâ of your companyâs data collection processes. A data flow map acts as a visual representation of the entire data ecosystem, providing clarity on:
How the systems work together
The role of any data processing partners, and
Potential risks or vulnerabilities
Data flow mapping can be used across a wide variety of scenarios, but in the context of the GDPR it can be particularly useful for identifying cross-border data transfers.
The GDPR does not have specific data location requirements. It does however regulate data transfer between the EU and other countries (Article 44)âessentially requiring that data transferred out of the EU receive the same protections it had while still in the EU.
In the news
Between 2020-2022, issues around trans-Atlantic data transfer made frequent appearances in the news. Multiple companies were penalized for using Google Analytics on the grounds that it represented an unprotected trans-Atlantic data transfer.
Privacy Shield, the original agreement meant to regulate trans-Atlantic data transfers was also struck down, on the grounds that it did not properly protect data after it left the EU. Critics claimed the agreement left the door open for law enforcement agencies in the US and elsewhere to obtain the data using national security as the justification.
5) What is the data used for?
Determining how your company uses personal data is critical to GDPR data mapping, as it informs next steps after the map is complete. For example, if youâre using data for âhigh riskâ activities or systematic profiling, youâll need to complete a DPIA.
More broadly, this exercise will help your company comply with purpose limitationâone of the GDPRâs core principles.
Personal data shall be [âŠ] collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
In practice, this means:
You must be clear about why youâre processing data before beginning
Purpose of processing must be documented and included in a publicly available privacy policy
To change the purpose of processing, you must have legal justification or consent and your new purpose canât conflict with the original
For reference, GDPR Article 6 outlines six foundations of lawful processing, which include consent, contract fulfillment, protecting vital interests, and more.
6) How long is the data retained?
Defining company-wide data retention policies (how long you keep data before deleting it) is crucial for complying with several GDPR requirements including creating records of processing activities (ROPA), storage limitation, and data minimization.
If you canât yet define a specific data retention timeline, you should at least define criteria that will help you determine that period as the need arises.
How to manually create a data map for GDPR compliance
Educate your organization
GDPR data mapping is a complex process, one youâre unlikely to complete working alone. Do your research and then create a brief to socialize throughout the organization. This document should outline what data mapping entails and why itâs important for GDPR compliance.
Remember, itâs necessary for complying with Article 30 and plays an important role in identifying what activities require a DPIA (Article 35), effective breach management (Article 33), and DSAR fulfillment.
Meet with key stakeholders
Schedule a meeting with key leaders and managers to set expectations, outline the process, and preemptively field any questions or concerns. This will not only help ensure buy-in, but will get crucial gears turning before the next step.
Send out assessments
After the initial meetings, send out assessments for each team to fill-out. These assessments should solicit specific details on each data system and relevant processing activities, including lawful basis, purpose, need for consent, timelines for data retention, and more.
Create your data mapping document
Once youâve received all completed assessments, combine your findings in a document that is available digitally and in writing.
Ensure consistent updates
GDPR data mapping is not a one and done activity. To be compliant, your companyâs data map must be currentâincluding all relevant tools, databases, and systemsâso itâs very important that you implement a process that ensures continual updates.
For many companies, this process is simply repeating steps three and four on a regularly scheduled basis: sending quarterly surveys or assessments and then manually integrating updates into the existing data map. Due to the complexity and time required, automated data mapping is often a better choice.
Benefits of automated GDPR data mapping
Beyond a certain data quantity, manual data mapping is extremely time consuming and can be prone to error.
Automating some or all of your GDPR data mapping process is recommended in most cases. It will improve your companyâs overall GDPR compliance stance and allow your team to focus on their core responsibilities.
Know your data in real-time
For the majority of companies, creating a complete data map can take over a year. This means that, by the time youâve completed your initial map, the systems you added and updated at the beginning of the year are likely already out of date.
The right automated data mapping tool will scan your website and various data systems to identify sources of data processing, organize everything into a live map, and then run continual automatic updates.
Not only does this remove the burden from an individual or team, but it ensures greater accuracy in a much shorter timeframe.
Save time and resources
Automated data mapping creates a central hub that tracks:
New systems, including the data and data categories they contain
Complete status and data owners for every record
Revisions in data flow stemming from database changes
Automating these tasks saves hours, if not hundreds of hours, that your team can use on other compliance activities.
Reduce risk
Risk comes in many forms, especially for larger companies with more data complexity.
Security risk
Each person involved in a data mapping task represents a vulnerability. At its core, the GDPR deals in the protection of sensitive and personal dataâso opening all your companyâs data to an increasingly large group of people isnât ideal.
Not only do automated data mapping platforms limit the number of individuals involved in your data mapping process, but they provide better security overall: secure gateways (that eliminate the need for API key access), end-to-end encryption, and granular access configurations.
Illegal processing
Automated data processing platforms can be configured to flag sensitive dataâmaking it easier to identify and address risky or illegal data processing activities.
Sometimes non-compliant processing simply stems from lack of oversight, but that wonât stop regulators from applying a hefty fine. Automation helps ensure that all your processing activities follow the necessary guidelines.
Complete compliance
In a similar vein, but with a wider view, automated data mapping provides broad support for your privacy compliance program.
Advantageously positioned with a full view of your companyâs data, automated tools can help support efficient DSAR fulfillment (with minimal manual intervention), as well as provide critical information about the scope and effects of any potential data breach.
About Transcend
Transcend can help your organization automate data mapping for privacy law compliance. Use Transcend Data Mapping to discover your companyâs data silos, classify personal data, and auto-generate reports â all in an easy-to-use, collaborative platform.
Power your companyâs regulatory compliance with actionable data governance suggestions based on your real-time data map. Transcend is the first and only data mapping tool that ensures the systems discovered in your data map are seamlessly included in user deletion, access or modification privacy request workflows.
Discover more articles