Data mapping
Data mapping

The following Risk & Compliance guidance note provides comprehensive and up to date legal information covering:

  • Data mapping
  • Legal requirement under the GDPR
  • Where to start
  • Mapping your data

This Practice Note provides practical guidance on how to undertake data mapping. It is based on an article by Nicola Fulford of Hogan Lovells and Krysia Oastler of Kemp Little, first published in the Privacy and Data Protection Journal in September 2016

Data mapping (finding out what personal data your organisation processes) is often cited as one of the first tasks to tackle in a data protection compliance plan.

Data controllers are required to have a written record of data processing activities—such records must be made available to the supervisory authority on request. See Precedent: Data processing register—GDPR compliant. According to ICO Guidance: How do we document our processing activities?:

‘A good way to start is by doing an information audit or data-mapping exercise to clarify what personal data your organisation holds and where. It is important that people across your organisation are engaged in the process; this can help ensure nothing is missed when mapping the data your organisation processes. It is equally important to obtain senior management buy-in so that your documentation exercise is supported and well resourced.’

Data mapping can seem like an overwhelming task, particularly for large global/multi-national businesses. This Practice Note provides practical guidance on how to undertake data mapping, including:

  1. the legal requirements under the General Data Protection Regulation (GDPR) Regulation (EU) 2016/679

  2. some areas to consider when