Data mapping
Data mapping

The following Risk & Compliance guidance note provides comprehensive and up to date legal information covering:

  • Data mapping
  • Legal requirement under the GDPR
  • Where to start
  • Mapping your data

Brexit: As of exit day (31 January 2020), the UK is no longer an EU Member State, but it has entered an implementation period during which it continues to be treated by the EU as a Member State for many purposes. The UK must continue to adhere to its obligations under EU law, including in relation to data protection, and the ICO has confirmed the GDPR will continue to apply during the implementation period. For more information, see: Practice Note: Brexit—implications for data protection.

This Practice Note provides practical guidance on how to undertake data mapping. It is based on an article by Nicola Fulford of Hogan Lovells and Krysia Oastler of Kemp Little, first published in the Privacy and Data Protection Journal in September 2016

Data mapping (finding out what personal data your organisation processes) is often cited as one of the first tasks to tackle in a data protection compliance plan.

Data controllers are required to have a written record of data processing activities—such records must be made available to the supervisory authority on request. See Precedent: Data processing register—GDPR compliant. According to ICO Guidance: How do we document our processing activities?:

‘A good way to start is by doing an information audit or data-mapping exercise to clarify what personal data your organisation holds and where. It is important that people across