What is GDPR Data Flow Mapping?

Published on : 02 Feb 2021

GDPR data flow mapping

Data Privacy laws around the world have levied stringent obligations on the way businesses are required to handle sensitive data. Non-compliance to these obligations will have severe consequences and penalties, especially in case of a security breach. Organizations looking to achieve GDPR compliance need to map their data flow to assess privacy risks. GDPR Data Mapping is the process of determining the type of data processed and the way they are processed.  This helps determine the risk exposure of your company and systems or applications that are highly exposed to threats.

Conducting a data flow map is an essential part of your Article 30 documentation and the first step into the journey of achieving compliance. They also form a critical part of the Data Protection Impact Assessment. Data mapping is a starting point for compliance with any privacy law and forms a foundation for your privacy program. Today, the article covers details on the process of the GDPR Data Mapping process and important considerations in the process.  Read through the article for a better understanding of what is Data Mapping and set a foundation for your compliance program.

What is Data Mapping?

Data mapping is a fundamental and initial process of Compliance that ensure organizations understand how the data is collected, processed, and flows through the organization. This process is essential for it helps enhance data privacy protections, disclosures, and regulatory compliance. It is an important early step in the journey compliance and audit process.

GDPR Data mapping is an essential requirement of GDPR compliance under Articles 30 and 36 that requires documentation of data processing and requirement of Data Protection Impact Assessments before processing certain critical data.

How is GDPR Data Mapping done? 

Organizations may conduct the Data Mapping process in two ways which include Manual Data Mapping and/or Automated Data Mapping. So, the manual data mapping process involves conducting a manual information search through questionnaires and informational interviews. This way the data is gathered via in-person or paper surveys before being collected and analyzed any further.

On the other hand, the automated data mapping is conducted using advanced technology tools to gather the necessary information to determine the flow of data through the organization. This way the data is gathered via scanners that detect data collection and its flow around the electronic systems throughout the organization.

Most organizations use a combination of automated and manual GDPR Data Mapping. If done correctly, both the processes will achieve the same output. However, there are different benefits and drawbacks to either of the two processes. So, most likely there is a possibility that the result from two independent efforts may be differentBoth the data mapping process helps an organization improve its understanding of personal data through data flow mapping and its level of risk exposure.

Key elements to be determined in GDPR Data Mapping

A comprehensive data mapping process determines the flow of all the data entering and exiting the systems of the organization and around the organization. While conducting GDPR Data Mapping here are certain key elements to be determined for effectively mapping your data.

What type of Data is collected?

Organizations need to get a complete grasp of all the types of personal data that they possess of individuals. This could be anything from customer’s data to website visitor’s data, to their employee data. GDPR considers personal data as any information identified or relatable to identifying a person. This would include name, identification number, location data, online identifier, or one or more physical, physiological, genetic, mental, economic, cultural, or social identity factors specific to a person as under Article 4.

How and where is Data Collected?

Organizations need to identify how and from where personal data is collected or coming into their organization. This is could either come directly from the consumers through an online form or other external resources. Businesses need to understand the type of information they are getting and most importantly the source of the data. This will help them get better clarity on their obligations concerning data collection as under GDPR Regulation.

Where is the data stored and the format in which the data is stored?

For a better understanding of the industry’s best data privacy practices organizations need to know where that data is stored and in what format they are stored. While most organizations store data electronically, there is still a handful who continue to have paper records filed and stored in a physical format. For those stored electronically need to be further investigated as to whether they are stored in the cloud, local servers, local computers, hard drives, or equipment of third-party vendors. This is essential for it helps in implementing necessary security measures around it.

Where does the data flow?

GDPR Data Mapping is an essential process for it important to determine the flow of data within the organization and outside the organization to third-party vendors. It is also important to determine whether the data is crossing international borders when it is being received or transferred by the organization for processing.  This because there are specific implications of personal data being transferred across the boundaries of the European Union to other countries. So, identifying the flow of data is essential.

What is the purpose of collecting or processing the data?

Organizations need to be able to justify reasons for processing the personal data and further provide accurate disclosures to consumers and fulfill Article 30 documentation requirements. Organizations are also required to demonstrate privacy by design and data minimization. For this GDPR Data mapping can help organizations gather such information.

How long is the data retained?

Data retention is another important aspect of privacy by design and data minimization. Although most data flow mapping is focused on collection and sharing, it is equally important to determine the retention period and when the data is deleted by the organization. Information like this surely helps in achieving GDPR Compliance.


For gaining complete visibility over the flow of Personal Data through your organization and to meet the requirement to maintain a record of processing activities as under Article 30 of GDPR, conducting GDPR Data Flow Mapping is essential.

The process helps the organization thoroughly understand the type of personal data processed in the organization and why, where, and how they are stored or transferred throughout the organization. At VISTA InfoSec our experts adopt a structured approach to help you achieve compliance and assist your team with the required support for documenting the existing data flows & processing.

VISTA InfoSec is an international cybersecurity consulting firm serving organizations across the globe for various industry compliance and regulation. Organizations looking for expert advice and assistance in GDPR Data Flow Mapping, you can count on us to make the process much simpler for you. You can schedule a call with our experts to discuss your data mapping strategy here.

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.