Data Flow Mapping Tool

Data flow mapping — also called data mapping or data inventory — is the process of documenting how personal data moves through your organization. It answers fundamental questions: what data do you collect, where does it come from, what do you do with it, where does it go, and how long do you keep it?

Under GDPR Article 30, organizations processing personal data must maintain a Record of Processing Activities (RoPA). This record must document the purposes of processing, categories of data subjects and personal data, recipients, international transfers, retention periods, and a description of technical and organizational security measures. Data flow mapping is the practical exercise that produces this information.

Beyond GDPR compliance, data flow mapping provides real operational value. You cannot protect what you do not know you have. Many organizations discover during mapping that they process far more personal data than they realized, store it in more places than expected, and share it with more third parties than documented. This visibility is the foundation of effective data protection.

Step 1: Identify Data Sources

Start by listing every point where personal data enters your organization. Common sources include website forms, email, customer portals, mobile apps, third-party data providers, social media, physical documents, employee onboarding, and partner integrations. Interview department heads and process owners to ensure completeness.

Step 2: Document Processing Activities

For each data source, document what happens to the data. Processing under GDPR includes any operation performed on personal data — collection, recording, storage, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction. Map the systems and applications involved in each step.

Step 3: Track Data Destinations

Where does the data end up? This includes internal databases, cloud storage, analytics platforms, CRM systems, email marketing tools, and any third parties the data is shared with. Pay special attention to data that leaves the EU, as international transfers require specific safeguards under GDPR Chapter V.

Step 4: Assign Legal Bases

Every processing activity must have a valid legal basis under GDPR Article 6. The six legal bases are: consent, contractual necessity, legal obligation, vital interests, public interest, and legitimate interest. Assign the correct basis to each data flow and document your reasoning.

Step 5: Define Retention Periods

GDPR's data minimization principle (Article 5(1)(e)) requires that personal data is kept only for as long as necessary for the purposes for which it was collected. Define and document retention periods for each data flow based on legal requirements, contractual obligations, and legitimate business needs.

Step 6: Assess Risk

Our tool automatically assesses each data flow's risk level based on data sensitivity, cross-border transfers, transfer safeguards, legal basis clarity, and whether a DPIA has been conducted. High-risk flows — particularly those involving sensitive data, children's data, or transfers without adequate safeguards — require immediate attention.

GDPR Article 35 requires a Data Protection Impact Assessment (DPIA) when processing is likely to result in a high risk to individuals' rights and freedoms. This includes systematic and extensive evaluation of individuals (profiling), large-scale processing of special categories of data, and systematic monitoring of publicly accessible areas.

Data flow mapping helps you identify which processing activities trigger a DPIA requirement. If your mapping reveals flows involving sensitive data categories, large volumes of personal data, cross-border transfers, or automated decision-making, flag these for DPIA assessment.