How to undertake data mapping

The following Risk & Compliance practice note provides comprehensive and up to date legal information covering:

  • How to undertake data mapping
  • Where to start
  • Mapping your data
  • Data mapping process
  • Obtaining information
  • Other activities

How to undertake data mapping

This Practice Note provides practical guidance on how to undertake data mapping. It is based on an article by Nicola Fulford of Hogan Lovells and Krysia Oastler of Kemp Little, first published in the Privacy and Data Protection Journal.

Data mapping (finding out what personal data your organisation processes) is often cited as one of the first tasks to tackle in a data protection compliance plan.

Data controllers are required to have a written record of data processing activities—such records must be made available to the supervisory authority on request. See Precedent: Data processing register. According to ICO Guidance: How do we document our processing activities?:

‘A good way to start is by doing an information audit or data-mapping exercise to clarify what personal data your organisation holds and where. It is important that people across your organisation are engaged in the process; this can help ensure nothing is missed when mapping the data your organisation processes. It is equally important to obtain senior management buy-in so that your documentation exercise is supported and well resourced.’

Data mapping can seem like an overwhelming task, particularly for large global/multi-national businesses. This Practice Note provides practical guidance on how to undertake data mapping, including:

  1. the legal requirements under the UK General Data Protection Regulation (UK GDPR) Regulation (EU) 2016/679

  2. some areas to consider when planning

Popular documents