EU GDPR Data Mapping & Data Inventory

EU GDPR Data Mapping & Data Inventory

Our EU GDPR Data Mapping & Data Inventory service accelerates the creation of a personal data inventory, supporting Article 30 and providing a fundamental building block to demonstrating compliance with EU GDPR.

To demonstrate compliance with EU GDPR, organisations must track a large number of data points such as which systems in the organisation contain personal data collected from EU citizens, the purpose of the data, if consent was given by the data subject, and what security protocols are in place to protect the personal data.

An EU GDPR Data Mapping and a EU GDPR Data Inventory can be used for a variety of different reasons including:

• Compliance: EU GDPR Article 30 and other regulations require records of processing activities, where the most popular methods of meeting this requirement are data inventories and data maps.

• Privacy statements: To make privacy statements accurate based on what the organisation is doing.

• Security: Understanding where the data is located and flowing is the first step to understanding the risk to data which allows the proper security safeguards to be put in place.

• Responding to customer requests: Customers may ask what data is your product collecting and where is it being sent. Having a data map makes this easier to reply in a standard way.

• Responding to data subject requests: EU GDPR Article 15 gives individuals the ability to request to correct, port, delete, and access the data that you have about them. Maintaining a central record makes fulfilling these requests much easier.

• Data breach preparation and response: Having a data map can help respond more appropriately to a breach and understand what data may have been exposed based on which applications were impacted by a breach

.• Cost Savings from Consolidation & Minimisation: Mapping your data can also result in the discovery of duplicate data and inefficient business processes that can be streamlined.

• Increasing business value: Identifying data that was unknown may reveal new opportunities to use the data.

Fast Track Your Compliance with EU GDPR Article 30

Request a free EU GDPR Data Mapping & Data Inventory Consultation



We begin the EU GDPR Data Mapping & Data Inventory activity, with a list of Business Functions in-scope and appropriate representatives identified.

Our Data Protection & Privacy consultants then conduct an initial Processing Activity Discovery Workshop determining the Processing Activities occurring within these areas, and to provide an introduction to the EU GDPR Data Mapping & Data Inventory engagement.

Following a Risk-Based Approach, we then agree with your business a sub-set of Processing Activities considered High-Risk for inclusion in the EU GDPR Data Mapping & Data Inventory Activity.

We will use the following criteria to ring-fence the High-Risk processes for the data mapping exercise:

1. Number of customer and employee records involved in the process

2. Number of third-party vendors/suppliers  involved in the processing activity

3. The volume of cross-border data transfers involved in the process

4. Potential of the process to be included in responding to data subject rights requests

Processing Activities considered Medium to Low Risk can be included upon request, or can be progressed by your organisation internally as a follow-on activity.

For each High-Risk Processing Activity,  we utilise a combination of questionnaire and consultant-led interview techniques to gather extensive information across the following areas:

  • Applications/Assets
  • Data Collection
  • Data Processing
  • Data Sources
  • Data Transfers
  • Data Storage
  • Data Subject Access
  • Data Disposal

The EU GDPR Data Mapping & Data Inventory exercise will be conducted using a series of both on-site and remote interviews (where required) using consultant guided questionnaires and our Privacy Management Platform.

Following a review of the findings, our Data Protection & Privacy Consultant present back identify key areas of risk, and clear targeted recommendations for each High-Risk Processing Activity to enable compliance to be achieved by your business.

Key Benefits

  • Identify and Prioritise Processing Activities with a high-risk of non-compliance with EU GDPR
  • Outline key risks of compliance in high-risk processes and provides recommendation in executive level terms
  • Supports Article 30 requirement to create a comprehensive register of processing activity
  • Enables your business to build and maintain a Data Inventory for on-going compliance to EU GDPR
  • Support business case definition for planning for DSAR (Data Subject Access Request), Right to Erasure and Data Subject Portability Process Planning, and Breach Notification.

Our Methodology

Step 1: Pre-Assessment Phase (Off- Site)

  • Meeting with key staff members
  • Walk-through of engagement activities, and agree roles.
  • Review of Business line/Business function chart.
  • Review of existing Asset Register, CMDB (if available)
  • Review of current Subject Access Request Procedures (if available)
  • Provide workshop questions to support information gathering in advance of on-site workshop

Step 2: Processing Activity Discovery (On-Site Workshop)

  • Hold scoping workshop with key individuals from Business Line/Business Function heads.
  • Overview of Processing Activity Risk-Assessment Criteria
  • Discuss extent of current personal data holding knowledge and usage for business purposes
  • Walkthrough of Business Lines/Business Functions
  • Walkthrough of all known Data Repositories (On-Prem/Cloud)
  • Walkthrough of Test & Development Environments
  • Walkthrough of End-User Environments
  • Walkthrough of existing Data Subject Access Request Procedure (if available)

Step 3: EU GDPR Data Mapping & Data Inventory Planning (On-Site)

  • Build the list of High-Risk Processing Activities and identify process owners.
  • Agree the High-Risk Processing Activities in-scope of the EU GDPR Data Mapping & Inventory engagement.
  • Identify the key business process owners and technical contacts to support the EU GDPR Data Mapping & Inventory engagement.

Step 4: EU GDPR Data Mapping & Data Inventory Exercise (On-Site/Off-Site)

  • Conduct Data Mapping & Inventory exercise utilising detailed automated questionnaire and consultant-led interviews

Step 5: EU GDPR Data Mapping & Data Inventory Reporting (Off-Site)

  • Risk Assessment of the EU GDPR Data Mapping results performed by our Data Protection & Privacy Consultants.
  • Creation of Risk Register for High-Risk Processing Activities
  • Creation of comprehensive EU GDPR Data Discovery Report

Step 6: EU GDPR Data Mapping & Data Inventory Debrief (On-Site or Off-Site)

  • Walkthrough of EU GDPR Data Mapping & Inventory Report including high-risk findings and recommendations.


  • Total:       Dependant on Scope
  • Onsite:    Dependant on Scope
  • Remote:  Dependent on Scope


  • EU GDPR Data Mapping & Data Inventory Workshop- A workshop with key stakeholders to ensure a clear understanding of obligations, current usage of personal data for business purposes and overview of approach.
  • EU GDPR Data Mapping & Data Inventory Report– a high-level executive report outlining results of the EU GDPR Data Discovery scan, including overall key risks, and outlining compliant and non-compliant data repositories across the environment.
  • EU GDPR Data Mapping & Data Inventory Risk Register-  – A prioritised list of risks and recommended actions to enable EU GDPR compliance for the agreed high-risk processing activities.

Optional Related services

Learn how EU GDPR Data Mapping & Data Inventory provides the foundation for your EU GDPR project, enabling key processing activities to be prioritised for compliance with the EU GDPR and the UK DPA (Data Protection Act).

Contact Us.