General Data Protection Regulation GDPR – DATA MAPPING

“ People, Processes and Technology ”

How Transparent Are Your Data Processing Activities?

What's The Purpose of Data Mapping?

As part of your EU General Data Protection Regulation compliance project, your organisation must understand its processing activities in respect to personal data. To do this, it is important that your organisation understand what personal data is being held, where it came from and where that data is being transmitted. In terms of data discovery, the action of processing should be mapped to a system or person and recorded in addition to the data. This is where Data Mapping comes into play.

Data Mapping is the process of identifying, understanding and mapping out the data flows of an organisation, giving you a holistic overview of the information landscape and is a pre-requisite to being able to secure the data and analyse the data for risks.
Furthermore it will also assist with maintaining data inventory where response to requests to data subject rights, deletion or correction can be undertaken efficiently and effectively.

Data Mapping Overview

Whats Involved in Data Mapping

Data mapping is often cited as one of the first tasks to tackle in any data protection compliance plan and creating a meaningful data map is a big undertaking. It can seem like an over-whelming task, but without understanding what data is being processed, then it’s impossible to ensure your data activities are compliant with the regulation. For example;

    Where does the personal data come from? (such as, the individual directly or a third party);
    What is the data entry point? (for example, telephone call, email, website, paper form);
    What format is data stored in? (Electronic – email, forms, letters, spreadsheet, application data, database records, or paper based)
    Where is data stored? (for example, on a device, in a database, in an application, hosted in the cloud)?
    Which countries is data stored in?
    Where is the data accessible from?

Quality Cert can offer full Data Mapping and classification

QualityCERT provide a data mapping and classification service designed to support you through the process of addressing Article 30 of the GDPR in order to clearly identify all your data flows throughout your organisation. Our mapping solution enables organisations to visualize the entire data lifecycle, maintain a data register, identify gaps and track recommendations and approvals for remediation risk.

The assessment will include:

    The development of data inventory of the personal data that you request, process and store.
    The categorisation of personal data, including sensitive data, that you process or store, which has more stringent requirements under the GDPR.
    The identification of who has access to your personal data to ensure that your data is secure and that your people are adequately trained in data protection. It will also highlight the points within your processes where data is transferred to another processor.
    The identification of risks relating to the GDPR principles – for example, opportunities for data minimisation.

The result from the GDPR data mapping assessment will take the form of structured report detailing a remediation strategy that provides a detailed breakdown of

  • A Full Data Inventory List:
  • Data Forms
  • Data Origins
  • Data Paths
  • Data Exit Points
  • Data Storage Locations

WHY QualityCERT is 1st Choice for Data Mapping and Classification

“Fully qualified professionals with a wealth of practical experience”

QualityCERT’s experienced data protection consultants can help and advise on all aspects of the Data Mapping process. We can provide expert data protection knowledge and the tools, processes and documentation necessary to significantly reduce the resource overhead required to complete the process. This ensures that the findings and recommendations are the most accurate and appropriate as expected by the supervisory authority, the ICO.

Our Data Mapping is conducted by IAPP Certified Information Privacy Professionals. As well as being highly qualified in General Data Protection Regulations our consultants are fully qualified auditors in other quality standards and business management systems.

We are industry practitioners who specialise in data protection, compliance, risk and governance and we are well versed in helping companies become GDPR and ISO certified.

Our GDPR practitioners cover all the key elements of the regulation to ensure you fully understand the steps and approaches your company needs to become GDPR compliant by focusing on providing practical approaches that can be easily implemented into your organisation.

Additionally our instructors have a wealth of ‘hands on’ industrial and commercial experience in the real world. All in all this ensures that you get the best GDPR compliance service available anywhere in the UK.


CIPP/E Certified Privacy Professional Europe

We have consultants certified at the highest level to advise and implement the General Data Protection Regulations (GDPR).

Professional Service

We can advise, train and implement GDPR best practices within your organisation.

Extensive commercial experience.

Our Directors have over 20 years experience in implementing business systems in commercial and industrial environments


Our Consultants are qualified in a range of quality and governance standards including CIPP/E, ISO 27001, ISO 9001, ISO 14001, BS OHSAS 18001, AS 9100D, and PAS 2030.