Why you need to be mapping your data (and how to get started)

What is Data Flow Mapping?

Data flow mapping is an important tool within your business to help you better visualise what data you hold, the formats you hold it in, and how it moves through your business and others. It is a form of ‘business process map’ for personal information.

It ultimately allows you to successfully understand the data you are responsible for, how to securely protect that data, and adhere to your obligations under the GDPR.

What do I need to know before I start?

Before starting to map your data, you should ensure you have completed a Data Protection Impact Assessment. This is essential in understanding the risks associated with the data you hold, and the subjects you hold it on. It also helps your business ascertain the measures required to keep the data you are collecting and processing safe and secure.

When do I need to map my data?

Both data mapping and your data protection impact assessment should be completed before you collect or process any data. It helps you to see it, and that makes it easier to get it right.

How do I map my data?

  1. Identify any point at which you collect data within your business. Consider internal sources, such as your website (contact us form), telephone calls etc. Also consider external sources like social media and cloud-based software. You may even buy data.
  2. For each of these unique sources of collection, you will then need to identify what type of data is being collected, and the lawful basis for the collection. N.B. It is worth highlighting at this point any sensitive personal data, as this will require additional security measures to be put in place to protect that data.
  3. Also note in which format the data is being collected. (hard copy, digital, database, bring your own device, mobile phones, etc.).
  4. Next consider who has access to this data, and who is responsible for the data.
  5. Finally, think about how the data moves through your business? Is it shared internally or externally? Note the locations with which the data is shared and stored, and when you need to destroy it.

The final step - protecting your data

To conclude the mapping process, consider the appropriate security measures required to protect the data in question.

As mentioned, sensitive personal data (now called Special Category Data) requires stricter security measures in place. This is why your Data Protection Impact Assessment is so important, as it helps you understand the risks in the security of the data you hold being compromised, and the damage this could do. This will in turn allow you to better understand your responsibilities in relation to that data, and practices necessary to protect it.

Special Category Data is:

  • physical and mental health data
  • racial or ethnic origin data
  • sexual orientation data
  • religious or other philosophical beliefs
  • political memberships
  • trade union memberships
  • genetic or biometric data
  • criminal data.

Consider processing operations

Are there times during your business operations where you perhaps process data without collecting it yourself? Maybe it is shared within your company group?

These operations also need to be mapped, so that you can identify the types and formats of data processed and how they move through your business.

New data collection and processing operations

You will should establish a new data flow map each time a new data journey is identified or undertaken. Make sure you fully understand;

  • the types of data
  • the formats in which it is collected
  • the people with access to the data
  • who is responsible for that data
  • how it moves through your business and is shared outside of it

How can I make mapping easier?

You may find it easier to start with a single data flow for each data entry point, and then combine these later. The important thing is that all entry, collection, share points of data within your organisation are identified. There are many ways you can map data, and it depends on personal preference how you might complete the data flow mapping within your business.

Why is mapping important?

Although data flow mapping can seem like a long and tedious process, it will help immeasurably in understanding what data you collect, how it is transported through your business, and also what safeguards are required to legally protect that data.

In short, it will help your business to become GDPR compliant.


There are resources available including data mapping examples within the Data Guardsman software. Just click the link below to find out more.

By Telephone

Leave a comment

Please note, comments must be approved before they are published