Most organisations use dozens of cloud services. Microsoft 365 for email, Salesforce for CRM, Slack for messaging, a handful of HR tools, a few marketing platforms. Each one holds data — some of it sensitive.

But ask a typical IT manager: "Which services hold special category data? Who can access it? From which devices?" — and the answer is usually silence or uncertainty.

That gap between what you think you know and what you actually know is where breaches happen.

The invisible problem

Data doesn't stay in one place. It flows:

  • An HR system sends employee records to a payroll provider
  • A CRM syncs customer data to an email marketing platform
  • A backup service copies everything to a cloud storage bucket
  • A contractor accesses the system from their personal laptop

Each of these flows is a potential point of failure. If you can't see them, you can't assess whether they're adequately protected.

What a data map gives you

A data map answers five questions:

  1. What services do we use? — your IT landscape
  2. What data does each service hold? — sensitivity and classification
  3. Who can access each service? — users and roles
  4. From what devices? — managed laptops, BYOD phones, shared workstations
  5. Where does data flow between services? — transfers, backups, integrations

With these answers, you can identify where your risks concentrate. Maybe your most sensitive data is in a service with no multi-factor authentication. Maybe BYOD devices access special category data without disk encryption. Maybe your backup strategy doesn't meet the 3-2-1 rule.

It's not just about GDPR

Yes, GDPR Article 30 requires a Record of Processing Activities (ROPA). And yes, a data map is the foundation of a ROPA. But the real value isn't compliance paperwork — it's operational visibility.

When you can see your data landscape, you can:

  • Prioritise security spending on the services that matter most
  • Respond to incidents faster because you know what data was affected
  • Assess vendor lock-in before it becomes a crisis
  • Run meaningful access reviews instead of rubber-stamping spreadsheets
  • Document backup coverage and verify it meets your policy

Getting started

You don't need to map everything at once. Start with:

  1. List your top 10 services — the ones your team uses daily
  2. Identify the sensitive ones — which hold personal data, financial data, or credentials?
  3. Map who accesses them — even a rough list of roles is better than nothing
  4. Note the obvious transfers — backups, integrations, exports

This takes an hour. The result is a foundation you can build on — and a view of your data risk you didn't have before.

Tools like Readmodel® help

Readmodel® automates the tedious parts: it provides 200+ pre-configured service templates, computes risk scores automatically, checks backup strategy compliance, assesses device security, and generates AI-powered analysis reports. The ROPA and compliance exports come free as a byproduct of the mapping you'd want to do anyway.

The point isn't compliance. The point is knowing where your data lives — before someone else finds it first.