How to Conduct a GDPR Data Mapping Exercise
Step-by-step guide to performing a comprehensive GDPR data mapping exercise for your organization.
Why Data Mapping Is the Foundation of GDPR Compliance
Data mapping is the process of identifying, cataloging, and documenting every piece of personal data your organization collects, stores, processes, and shares. Under GDPR Article 30, organizations must maintain records of processing activities (ROPA), and a thorough data mapping exercise is the practical way to build and maintain those records.
Without a clear picture of where personal data lives, how it flows, and who has access to it, compliance with virtually every other GDPR obligation becomes guesswork. Data mapping transforms that guesswork into structured, auditable knowledge.
Step 1: Define the Scope of Your Data Mapping Exercise
Before you begin, establish clear boundaries for the exercise.
Questions to Answer Up Front
- Which business units, departments, or subsidiaries are in scope?
- Are you mapping only EU resident data, or all personal data globally?
- Will you include data held by third-party processors?
- What is the timeline for completion?
For most organizations, a phased approach works best. Start with the departments that handle the highest volume of personal data -- typically HR, marketing, sales, and customer support.
Step 2: Identify All Data Sources
Create an inventory of every system, application, and repository that stores or processes personal data.
Common Data Sources
| Category | Examples |
|---|---|
| CRM Systems | Salesforce, HubSpot, Dynamics 365 |
| HR Platforms | Workday, BambooHR, SAP SuccessFactors |
| Marketing Tools | Mailchimp, Marketo, Google Analytics |
| Cloud Storage | AWS S3, Google Drive, SharePoint |
| Databases | PostgreSQL, MySQL, MongoDB |
| SaaS Applications | Slack, Zoom, project management tools |
| Physical Records | Filing cabinets, paper forms |
Do not overlook shadow IT. Survey employees to discover tools and services adopted outside of official IT procurement channels.
Step 3: Catalog the Personal Data Elements
For each data source identified, document the specific categories of personal data stored.
Data Categories to Track
- Identifiers: Names, email addresses, phone numbers, employee IDs
- Financial data: Bank account details, payment card numbers, salary information
- Location data: IP addresses, GPS coordinates, shipping addresses
- Sensitive data: Health records, biometric data, racial or ethnic origin, political opinions
- Behavioral data: Website activity, purchase history, app usage logs
- Technical data: Device identifiers, cookies, browser fingerprints
For each data element, record whether it qualifies as special category data under GDPR Article 9, as these require additional safeguards.
Step 4: Map Data Flows
Data rarely stays in one place. Trace the journey of personal data from collection to deletion.
Key Flow Points to Document
- Collection: How and where is the data originally gathered? (web forms, phone calls, third-party sources)
- Storage: Where does it reside? (on-premises servers, cloud regions, employee devices)
- Processing: What operations are performed on it? (analytics, profiling, automated decision-making)
- Sharing: Who receives the data? (internal teams, processors, partners, regulators)
- Transfer: Does data cross borders? (EU to US, EU to Asia, intra-EU transfers)
- Deletion: When and how is data removed?
Create visual diagrams showing these flows. Even simple flowcharts provide enormous value when explaining data practices to regulators or auditors.
Step 5: Document the Legal Basis for Each Processing Activity
GDPR requires a valid legal basis for every processing activity. For each data flow you have mapped, record which of the six legal bases applies.
The Six Legal Bases Under GDPR
- Consent
- Contractual necessity
- Legal obligation
- Vital interests
- Public interest
- Legitimate interests
Where legitimate interests is the basis, document the balancing test you performed. Where consent is relied upon, record how consent is obtained, stored, and withdrawn.
Step 6: Assess Data Retention Periods
For every data category and processing purpose, define how long the data is kept and the justification for that period.
Retention Considerations
- What is the minimum retention period required by law or contract?
- Is the data still necessary for the purpose it was collected?
- Are there industry-specific regulations mandating longer retention?
- What is the process for deletion or anonymization once the retention period expires?
Document these in a formal data retention schedule that maps directly to your data inventory.
Step 7: Identify Risks and Gaps
With your data map complete, review it for compliance gaps.
Common Issues Discovered During Data Mapping
- Data stored in regions without adequate GDPR protections
- No documented legal basis for certain processing activities
- Retention periods that exceed what is necessary
- Third-party processors without signed Data Processing Agreements
- Sensitive data stored without appropriate technical safeguards
- Lack of access controls on systems containing personal data
Prioritize these gaps by risk severity and create a remediation plan with clear ownership and deadlines.
Step 8: Build Your Records of Processing Activities
Use the information gathered to compile your ROPA as required by Article 30. Each entry should include:
- Name and contact details of the controller (and DPO, if applicable)
- Purposes of processing
- Categories of data subjects and personal data
- Categories of recipients
- International transfers and safeguards used
- Retention periods
- Description of technical and organizational security measures
Step 9: Establish an Ongoing Maintenance Process
Data mapping is not a one-time project. Your data landscape changes every time a new system is deployed, a vendor is onboarded, or a business process is modified.
Keeping Your Data Map Current
- Assign data mapping ownership to a specific role or team
- Integrate data mapping reviews into change management processes
- Schedule quarterly or semi-annual reviews of the full data inventory
- Use automated data discovery tools to supplement manual efforts
- Train staff to report new data processing activities
Tools and Templates for Data Mapping
You do not need expensive software to start. Many organizations begin with spreadsheets before graduating to dedicated tools.
Options by Maturity Level
| Maturity Level | Approach |
|---|---|
| Basic | Spreadsheets with standardized templates |
| Intermediate | Purpose-built GRC platforms |
| Advanced | Automated data discovery and classification tools |
The key is consistency in format and thoroughness in coverage, regardless of the tool used.
How GlobalDataShield Supports Your Data Mapping Efforts
Organizations using GlobalDataShield benefit from built-in data residency controls that simplify one of the most complex aspects of data mapping -- tracking where data physically resides. When your hosting infrastructure enforces geographic boundaries by design, your data flow documentation becomes significantly easier to maintain.
Whether you are conducting your first data mapping exercise or refining an existing program, pairing strong governance processes with infrastructure that enforces residency requirements by default is the most reliable path to sustained GDPR compliance.
Ready to Solve Data Residency?
Get started with GlobalDataShield - compliant document hosting, ready when you are.