GDPR data mapping: How to tackle complex processes

As part of your EU General Data Protection Regulation (GDPR) compliance project, your organisation will need to understand what personal data it processes. You will likely choose data mapping as a way to meet these requirements.

Key elements of data mapping

A data flow map of a process should chart the entire journey of personal data as it is processed for the purposes specified. If the same data is processed for an additional set of purposes, this constitutes a different process and should be charted in a separate map.

An effective data mapping process will establish:

  • The data items obtained (name, email, address, etc.);
  • The format of the data (hard copy, digital copy, etc.);
  • Transfer methods (internally or externally, post, telephone, etc.); and
  • Where the data is stored (offices, the Cloud, third party, etc.).

Tackling complex processes when data mapping

One of the main challenges in the data mapping process is identifying personal data and how it is stored. Personal data includes name, email address and location.

For each process in your organisation, you can obtain numerous data items, which can be stored in many formats, for example paper or digital.

Complex processes can be even more difficult to deal with

It is important to ensure you get the scope of the process right. The scope should be dictated by the purpose of processing, which in turn is closely tied to the lawful basis of processing the data.

Most processes can be broken down into several smaller processes to make them more manageable.

For example:

  • The sales process for most car dealers involves recording a potential customer’s contact details. The purpose for doing this may be to follow up after an initial interaction. The lawful basis is likely to be one of consent or pursuing legitimate interests.
  • However, most car dealers also offer test drives as part of their sales process. In order to let a customer take a test drive, the dealership needs to take a copy of their driving licence. The purpose for doing this may be managing risk, complying with the law and/or complying with the demands of an insurer. In this case, the lawful basis may well be compliance with a legal obligation or contractual necessity.

In this example, you have two separate processes that are often treated as one, but are much easier to manage when you split them.

Tools to help simplify the data mapping process

Vigilant Software’s Data Flow Mapping Tool simplifies the data mapping process, making your maps easy to review, revise and update as your organisation evolves.

Example of data mapping in preparation for the GDPR using the Data Flow Mapping Tool

The new and improved tool has been geared for repeatability and now allows users to create copies of entire processes and their corresponding maps, along with the ability to label the input points on data and add data subjects to maps to provide an overview of where data is passed on or returned to data subjects.

To see how the Data Flow Mapping Tool can help your organisation meet the GDPR’s requirements, book a live demonstration with one of our dedicated support executives >>



  1. Paul Dewhurst 16th February 2018
    • Chloe Biscoe 16th February 2018
      • Paul 26th February 2018
  2. Wim 6th March 2018
    • Chloe Biscoe 6th March 2018
  3. Wim 7th March 2018
  4. Paul 12th March 2018

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.