Mapping Your Data for Privacy Compliance

Mapping Your Data for Privacy Compliance

Andrew Abwoga
06 October 2020

Data mapping is a system of cataloging what data you collect, how it’s used, where it is stored, and how it travels throughout your organization. Privacy regulations such as GDPR, CCPA and others specify data mapping as a requirement. That makes data mapping a critical exercise in being able to stay compliant with privacy regulations. This blog will highlight tips on how to do a data mapping exercise.

What is a Data Map?

What is a Data Map?
Downloadable data mapping template by Anthony Budd

A data map should typically include the information below:

  • What data is collected
  • Whether the data is Personal Identifiable Information (PII)
  • What is the legal basis for processing that data
  • Why the data is being collected
  • How long will the data be stored
  • Under what conditions is the data stored? Are there any protections around it
  • Where data is transferred
  • Where are third-party recipients located
  • What protections are in place when the data is being transferred

Having this information will help to: 

  1. Keep records of processing activities - Both CCPA, GDPR and other regulations mandate that businesses map their data and make the records available to supervisory authorities upon request.
  2. Perform data protection impact assessments (DPIAs) - if you process data using new technologies, or in a way that potentially puts consumer rights and data at risk, you may be required to perform a data protection impact assessment.
  3. Demonstrate Privacy By Design (PbD) - This is the concept that data protection and privacy measures should be built into every element of your business – as an essential building block, rather than an afterthought.
  4. Establish a lawful basis for processing data - When constructing your data map, you should note the purposes for which you collect or process data, along with the legal justification for those activities.
  5. Detail Data Practices - Users should be furnished with privacy policies and the policies should thoroughly detail your interactions with user data, including what to collect, why it’s collected, how it is stored, where it may be transferred e.t.c.
  6. Manage Data Subject Access Requests - Users must have a means of exercising their privacy rights. The most common means of doing so is by offering users a Data Subject Access Request (DSAR) form.

Phases of Data Mapping

A data mapping exercise entails four key tasks:

  1. Identifying and understanding the data types your hold within your organization 
    1. Identify your data subjects: employees, customers 
    2. Identify your data subject’s properties such as name, address, gender, etc.
    3. What format is it in? Is it in forms, letters, spreadsheets, backups, database records, etc.
    4. What is it used for, how is it processed and who is the owner?
  2. Classifying your data
    1. Rate the data based on its sensitivity
  3. Discovering your data
    1. Where is the data stored or transmitted and to whom? Is it hosted in the cloud? How is data backed up and where is it stored?

There are many kinds of tools, both free and commercial, that can be used to conduct this exercise. You can also make use of a simple spreadsheet. Most importantly, you have to make sense of how the output of your data mapping exercise will demonstrate privacy compliance.


Data mapping is a critical skill to have when you decide to take on privacy compliance. Also, a key thing to consider when you make choices about your backup tools or other data storage locations is how well the storage/backup technology is going to help you achieve privacy compliance, essentially Privacy By Design (PbD). For instance in Backup Ninja, privacy is a core component of the system’s functionality, not an add-on. PbD is effectively embedded into the information architecture from the outset, so a business should not be required to take any sort of action to protect their privacy.