What is Data Mapping?

To manage the personal data in your organisation, first you need to know what you have, where it is, how it’s used and who it’s shared with.

The process of recording all the details is called data mapping.

Data mapping is an essential part of recording and maintaining data compliance across your business.

In order to meet GDPR compliance and ICO expectations, you need to be able to demonstrate: 

  • Your organisation carries out data mapping exercises (also known as information audits) to find out what personal data is held and to understand how the information flows through your organisation.
  • You keep the data map up to date and you clearly assign the responsibilities for maintaining and amending it.
  • You consult your staff to make sure that there is an accurate picture of processing activities. For example, by using questionnaires and staff surveys.

It sounds like a tiresome task, right? And truth be told, it can be, especially when using the traditional methods of spreadsheets, templates and forms. 

Alternatively, there are now smart new and affordable data mapping tools available that help you automatically map, record, and update your data mapping.

These new tools make the whole process a lot more efficient and save a heap of time. 

Example of a Data Map:

It’s up to you how you go about data mapping so long as you are thorough.

Data mapping tools like Privacy Centre can help guide you through this process and provide a more organised and practical approach than traditional spreadsheets.

Privacy center data map

Spreadsheet data map

What Must be Recorded in Your Data Map?

Your data map must record all the data processing that goes on as a result of your business.

This applies to all individuals be they suppliers, customers, members, donors, contractors etc. Everyone.

The data map must include:

  • Type of data collected
  • Lawful basis 
  • Purpose of data collection
  • Retention period of data
  • Place of storage
  • Conditions of data storage
  • Data transfer destinations
  • Sources of the data
  • Nature of personal data (personal, sensitive etc.)
  • Relationship with the individual ( Controller, Processor, Join Controller)

This information you map must be regularly reviewed against your processes. It’s a good idea to do this with the relevant responsible individuals across your organisation.

Where changes to processing occur that might create new risks to the data of individuals, then you should carry out a Data Protection Impact Assessment (DPIA).

A DPIA will allow you to assess and record any new risks and plan how to mitigate them.

The DPIA process is, for the most part, a formality, but one you are expected to carry out diligently and record regularly. 

Privacy Centre’s data mapping tools make the DPIA process easier by automating monotonous tasks whilst guiding you through a regular review process that is recorded and maintained over time. 

How Often Should Your Data Map be Updated?

Ideally, you should review your data map regularly and record that you have reviewed it.

Depending on your business the frequency of these reviews may vary, but conducting a data mapping exercise at least every quarter is a good starting point.

We recommend making an individual in your organisation responsible for carrying out these regular reviews throughout the year. 

Using the Privacy Centre data mapping tool can make this process easy to document correctly and on time without the need for an expert.

Which of Your Team Members Need to be Involved?

The Data mapping exercise is there to capture a holistic view of data processes in your organisation.

The best practice is to involve key decision-makers across all areas of your business operations so as to comprehensively capture a picture of all your data processing

Collaborative data mapping tools can alleviate a lot of the stress in coordinating cross-department collaboration and provide a clear path to follow.