Data flow mapping under the EU GDPR

As part of a GDPR (General Data Protection Regulation) compliance project, organisations will need to map their data and information flows in order to assess their privacy risks. This is also an essential first step for completing a DPIA (data protection impact assessment), which is mandatory for certain types of processing.

The key elements of data mapping

To effectively map your data, you need to understand the information flow, describe it and identify its key elements.

Understand the information flow

An information flow is a transfer of information from one location to another, for example:

  • From inside to outside the European Economic Area; or
  • From suppliers and sub-suppliers to customers.


Describe the information flow

  • Walk through the information lifecycle to identify unforeseen or unintended uses of data. This also helps to minimise the data that is collected.
  • Identify the lawful basis and purpose for collecting data.
  • Make sure the people who will be using the information are consulted on the practical implications.
  • Consider the potential future uses of the information collected, even if it is not immediately necessary.

Identify its key elements

  • Data items
    What kind of data is being processed (name, email, address, etc.) and what category does it fall into (health data, criminal records, location data, etc.)?
  • Formats
    In what format do you store data (hardcopy, digital, database, bring your own device, mobile phones, etc.)?
  • Transfer method
    How do you collect data (post, telephone, social media) and how do you share it internally (within your organisation) and externally (with third parties)?
  • Location
    What locations are involved within the data flow (offices, the Cloud, third parties, etc.)?
  • Accountability
    Who is accountable for the personal data? Often this changes as the data moves throughout the organisation.
  • Access
    Who has access to the data in question?

Want to know more about data flow mapping under the GDPR?

Data flow mapping is a key step to complete once an organisation has carried out its overall gap analysis. Download this informative guide to Conducting a Data Flow Mapping Exercise under the GDPR to discover why data flow mapping is so important.

Download now

The key challenges of data mapping

Identifying personal data

Personal data can reside in a number of locations and be stored in a variety of formats, such as paper, electronic and audio. Your first challenge is deciding what information you need to record and in what format. Completing a data map will aid in identifying duplicated information.

Putting in place “appropriate technical and organisational measures”

The second challenge is likely to be identifying and implementing appropriate measures – covering technology, policies and procedures, and staff training – to protect information while also determining who controls access to it.

Identifying the purpose and legal basis of the processing

Your final challenge is determining your legal basis and purpose for each processing activity. Both can change as your processing activity changes and you need to ensure you take into account legal and contractual obligations in addition to the GDPR, for example, the PCI DSS (Payment Card Industry Data Security Standard) and ISO 27001 (the information security standard).

Once you’ve completed these three challenges, you’ll be in a position to move forward, gaining the trust and confidence of your customers and other key stakeholders.

Webinar | Conducting a data flow mapping exercise under the GDPR

Watch our webinar below to find out more about conducting a data flow mapping under the GDPR.

To help organisations understand what a data flow mapping exercise involves, this webinar will discuss: 

  • The GDPR remedies, liabilities and penalties; 
  • Data flows and identifying the key elements; 
  • The benefits of conducting a data mapping exercise; 
  • The challenges of data mapping; and 
  • Techniques and best practices for data flow mapping.

Read more about what the Data Flow Mapping Tool has to offer.


How IT Governance can help you

We have a selection of tools and software that can support your organisation’s GDPR compliance, no matter how far along your project is.

To gain full visibility over the flow of personal data through your organisation and meet the requirement to maintain a record of processing activities under Article 30 of the EU GDPR (General Data Protection Regulation), we recommend the Data Flow Mapping Tool.

Speak to an expert

Please contact our team for advice and guidance on our products and services.

This website uses cookies. View our cookie policy