Why data mapping is a business imperative

Knowledge is power but responsible knowledge is ethics and compliance and a data mapping exercise can help achieve that.

tech, futuristic, flow-7186360.jpg

Not so long ago I participated in a webinar where, among others, I touched upon the importance of companies having a consistent and reliable data mapping exercise. 

I referred to Article 29.3 of the GDPR which provides that the records of the processing activities under the controller and processor responsibility should be in writing, including in electronic format. 

I did not anticipate that I would open the Pandora box and there I was being asked by one of the participants about the excel spread sheet that seemingly many companies are still using. 

The excel spread sheets are documents in electronic format indeed. Why would they not be sufficient to mark the mapping compliance obligation? In retrospect I don’t feel that I did such a good business in explaining to the participants the seminal role of data mapping.

Data mapping can help companies understand what type of data they collect and process during the business lifecycle, the level of sensitivity of the data and the flow of the data from the original source to their destination. 

Based on these insights companies can reflect with the support of their privacy professionals if they have a legal basis for different types of processing operations or if, on the contrary, they are in breach of laws. Furthermore, data mapping is a precious resource that can procure the company a fruitful exercise of data classification. A correct data classification would ensure that data are accessed and shared in the organization for the most productive purposes whilst maintaining the company compliant with its legal obligations to observe confidentiality and security of the data. 


Activities such as data re-purposing are fully dependent on the insights revealed through the data mapping. The controversial transfer impact assessment exercise can be facilitated by the information completed in the data mapping. Retention and deletion terms can be assessed and agreed upon with the help of the information contained in the data mapping. Data retention or otherwise the storage limitation obligation as it is included in the GDPR is a crucial element of data security. In the event of an incident or a data breach a clean database would not be exposed to the same extent that an unclean database would be. 


The tax and auditing laws all require companies to maintain extensive documentation and record-keeping. According to the Handbook on European data protection law establishing similar requirements in other fields of law, in particular data protection law, is an important way to facilitate compliance with data protection rule. 

The above legal compliance arguments let aside there is a deeper sense to the obligation of maintaining an accurate data mapping exercise. From a business standpoint companies can leverage the knowledge they gain from their data mapping exercise to take business decisions such as re-purposing data for better business use or decommission applications or tools and delete out-of-use data. Contracts which are not useful can be terminated and unnecessary expenditure can be saved. 
Now, as US businesses are beholden to a growing number of privacy regulations like CCPA and its amendment CPRA, the Virginia Consumer Data Protection Act and Colorado’s Privacy Act the maintenance of data mapping is even more important. By maintaining a consistent data mapping, organizations can identify cases of data redundancies. These are data that are unnecessarily maintained in multiple locations in the organization hampering, for example potential efforts to mitigate a security incident or a privacy breach and creating exposure for enterprise risks. 
By identifying redundancies companies can build a single source of truth that would allow them to get more business value from your data and avoid unwanted headaches. 
Knowledge is power but responsible knowledge is ethics and compliance and a data mapping exercise can help achieve that. 

Would an excel spreadsheet be able to give the same powerful insight to organizations enabling them to go one step beyond their compliance obligations? It would not. The excel spreadsheet would indeed help check the compliance box, but it would not be fit-for-the-business-purpose especially for the medium and big size companies. 

Author Petruta Pirvan, Founder and Legal Counsel Data Privacy and Digital Law @EU Digital Partners