You know you need to comply with GDPR, but where do you actually start? Article 30 requires every controller to maintain a Record of Processing Activities — and that record starts with a data map. GDPR data mapping is the process of building a living inventory of what personal data your organisation processes, where it lives, who has access to it, and why. Without it, you are guessing at compliance rather than demonstrating it. This guide walks you through the process in five practical steps, aimed at small and mid-sized businesses that need results without a six-figure consulting budget.
What is a GDPR data map?
A data map answers four fundamental questions about your organisation's personal data:
- What data do you process? Names, email addresses, financial records, health data, device identifiers — itemised and classified by sensitivity.
- Where does it live? Which services, databases, and devices store it? Where is it backed up? Is any of it on local machines?
- Who has access? Which teams or roles can read, modify, or export it? Through which services?
- Why, and for how long? What is the legal basis for each processing activity, and when must the data be deleted?
These four questions feed directly into the Record of Processing Activities required by Article 30. But a data map goes further than a ROPA — it includes access patterns, data flows between services, device security posture, and risk assessment. The ROPA tool guide covers the register itself in detail. The data map is the foundation that makes the ROPA accurate.
Why spreadsheets don't scale
A spreadsheet is fine when you have three services and ten data items. It breaks down the moment your organisation grows beyond that. You cannot meaningfully link a service to its data items, legal bases, users, and outbound transfers in a flat table. You end up duplicating rows, creating cross-reference tabs, and hoping someone remembers to update all of them when a service changes.
Once you pass 20 services — and most organisations get there faster than they think — the spreadsheet becomes a liability rather than a tool. Inconsistencies creep in, gaps go unnoticed, and the document drifts from reality. As the ROPA tool guide explains, auditors expect structured, current records — not colour-coded tabs with broken formulas.
5 steps to create your GDPR data map
Step 1: Inventory your services
Start by listing every service that touches personal data. The obvious ones come first: your CRM, email provider, cloud storage, HR system. Then go deeper. Messaging tools, analytics platforms, payment processors, marketing automation, even operating system telemetry — all of these process personal data.
Most organisations underestimate their service count by half. Readmodel® includes a template library with over 200 pre-configured service templates covering common SaaS tools, cloud platforms, and infrastructure services. Pick from the library, add your custom internal systems, and you have a solid starting point in minutes. Create a free account and try the template library yourself.
Step 2: Document data items per service
For each service, document what personal data it processes. Be specific — "customer data" is not a data item. Break it down: full name, email address, phone number, billing address, payment card last four digits, purchase history. Each item gets its own record.
Then enrich each data item with three critical attributes:
- Classification — how sensitive is it? Public, internal, confidential, special category?
- Legal basis — which of the six GDPR Article 6 grounds justifies processing this item?
- Retention period — how long do you keep it, and what triggers deletion?
These three attributes drive your risk score and determine whether a Data Protection Impact Assessment may be required. A missing legal basis or retention period is exactly the kind of gap that auditors flag.
Step 3: Map who has access
Access mapping connects people to data. Document which roles or teams access which services: the HR team uses the HR system, Marketing uses the CRM and the email platform, Finance uses the accounting tool. Map at the role level, not individual accounts — this keeps the model maintainable.
Then map which data items each service can access. This creates the full chain: User → Service → Data Item. You can now answer the question every DSAR response requires: "Which of our staff could have accessed this person's data, through which systems?"
Access mapping also powers access reviews — periodic certifications that each access grant is still justified. For more on why data mapping matters beyond pure compliance, see our earlier guide.
Step 4: Document data flows between services
Personal data rarely stays in one place. Your CRM syncs contacts to your email marketing tool. Your HR system exports payroll data to an external provider. Your analytics platform receives browsing behaviour from your website. Each of these is a data transfer that needs documentation.
For every transfer, record the source service, the destination service, the transfer type, and — critically — the safeguard mechanism for international transfers. Since the Schrems II ruling, transfers to countries without an adequacy decision require Standard Contractual Clauses, Binding Corporate Rules, or another Article 46 mechanism. Undocumented cross-border transfers are among the highest-risk findings in a supervisory authority audit.
Data loss prevention starts with mapping — you cannot protect data flows you have not documented.
Step 5: Assess risk and export your ROPA
With services, data items, access maps, and transfers documented, you can now assess risk. Each data item carries a risk score based on its classification, legal basis, and retention status. Each service aggregates the scores of its items, plus penalties for missing login types or high transfer counts.
Generate your Article 30 register automatically from the data map — no separate ROPA form, no copy-paste between documents. The register inherits every data item's legal basis, retention period, and classification. Risk badges flag services that need attention. High and Critical risk services are flagged for a potential DPIA under Article 35.
For a detailed comparison of how different tools handle this, see GDPR compliance tools compared.
What to do after your first data map
A data map is a living document, not a one-time compliance exercise. Review and update it when:
- A new service is introduced — even a trial or pilot that touches personal data
- A data flow changes — a new integration, a provider switch, a new country
- A legal basis is challenged — consent withdrawn, legitimate interest reassessed
- After a breach or DSAR — both events expose gaps in your documentation
Set a baseline after completing your initial map. Readmodel® snapshots your risk posture so you can track improvement over time. When the next audit comes, you can show not just where you are, but how far you have come.
Start mapping today
Create a free Readmodel® account and map your first 5 services in under an hour. The template library, risk scoring, and ROPA export are available from day one — no credit card, no sales call. Get started now.