Breach, Governance, Risk and Compliance

Data Mapping: A Key Challenge in Achieving GDPR Compliance

GDPR compliance projects around the world are dependent on knowing what personal information data organizations are collecting or processing.

This is a difficult challenge, as evidenced by recent ISACA research that shows data discovery and mapping is the top challenge/concern respondents have in preparing for GDPR compliance. With due diligence, though, this challenge can be overcome.

The first step is to map or collect all the personal data of the company. What does this mean?

Article 30 of the GDPR (records of processing activities) states that organisations must maintain a record of processing activities under responsibility. That record shall contain all of the following information:

  1. the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
  2. the purposes of the processing;
  3. a description of the categories of data subjects and of the categories of personal data;
  4. the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations;
  5. where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation;
  6. where possible, the envisaged time limits for erasure of the different categories of data;
  7. where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

The most important information: these registers should be able to be presented at the request of the authority. This article does not speak about data mapping explicitly, but if we have this in place, it can be very useful later on.

A data mapping is a special type of data dictionary that shows how data from one information system maps to data from another information system. We can retrieve data mapping manually, through questionnaires and interviews. However, with the 25 May GDPR compliance deadline fast-approaching, there is not enough time for manual mapping. There are, however, some alternatives.

For instance, applications are available that identify personal data stored in databases. This is fully automated, as the engine locates and tags which system or database contains personal data. This enables scanning through thousands of database tables and identifying GDPR-relevant data automatically.

Additionally, software exists that handles all GDPR-related information and registry in one centralized application. This application has several functions, including the data map and records of processing activities.

A key component of any GDPR filing system is an up-to-date data map. Companies can rely on software programs for data maps that show the personal data stored by the company specifying the storage system, the ID and the purpose of storing them. Software can also keep records of processing activities. A well-structured filing system identifies which data of which systems are involved in profiling, or disclosed to a third-party country or organization, and even specifies the duration of data retention.

The GDPR deadline placed added emphasis on the importance of data mapping. By taking an organized, strategic approach and automating where they can, organizations can meet this important challenge.


Laszlo Dellei is an ISACA GDPR Working Group member. Read more ISACA blogs here.

You can skip this ad in 5 seconds