Skip to content

What is Data Mapping?

Table of Contents

If your business uses its customers’ personal data to operate, several data protection rules will apply. The UK General Data Protection Regulation (‘UK GDPR’) is the law governing the use of personal data. The UK GDPR applies several rules to organisations that process personal data. Under the UK GDPR, an essential requirement is to understand which types of personal data you use and why. A data mapping exercise can help establish this. This article will explore what data mapping is and why it is an essential step for UK GDPR compliance. 

Front page of publication
GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

Why is UK GDPR Compliance Necessary?

Compliance with UK GDPR is compulsory for any organisation using personal data. The UK GDPR applies to virtually all businesses, as most businesses will collect and use some form of personal data. For example, businesses regularly collect personal information about:

  • customers; 
  • suppliers; 
  • candidates; and 
  • staff.

If your business processes any type of personal data, then the UK GDPR rules will apply to you. Depending on your business activities and how you use personal data, there are various steps you will need to take to comply with the UK GDPR. 

For example, common obligations under the UK GDPR include:

Further, organisations need to train staff about data protection law rules and put various policies and procedures in place to comply with the UK GDPR. However, in order to determine what you need to do to comply with the UK GDPR, you first need to understand how and why you use personal data. 

What is Personal Data?

Personal data includes information relating to any living individual who can be identified from that data either directly or indirectly. Some examples of personal data include:

  • names and surnames;
  • addresses and email addresses;
  • telephone numbers;
  • health information;
  • location data and online identifiers;
  • signatures; and
  • photographs.

Personal data can be a single item of information or a combination of different types of information. Ultimately, every business will process different types of personal data, and the types of personal data your business processes will dictate your obligations under the UK GDPR regime.

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

What is a Data Mapping Exercise?

The first essential step for UK GDPR compliance is a data mapping exercise. The data mapping process involves documenting all the data sets of personal data that your business collects and uses and how it flows through your business. 

As part of the data mapping procedure, you should review and document:

  • which types of personal data does your organisation collect and use and why; 
  • what format do you store personal data in, for example, in hard copy or virtually; 
  • where you collect personal data from and if any third parties collect data on your behalf; 
  • how you store personal data;
  • whom you share personal data with and why; 
  • how long you keep personal data for; and 
  • whether any personal data is transferred to countries outside of the United Kingdom. 

Your data mapping exercise should be detailed and outline the categories of data subjects you process data about. Different data subjects include current or previous customers or website users who make enquiries on your website. 

If you collect any special category personal data, criminal offences data or children’s data, you must comply with additional stringent rules. For example, you may need to put extra policy documents in place and require individuals to agree to additional consent forms. 

Data mapping is the very first step to UK GDPR compliance. You can carry out data mapping in different ways, for example, by using a data mapping tool or software. You should ensure that your data mapping covers all areas of your business and speak to different departments to understand which data they collect, if necessary. 

What Should Businesses Do After Completing Data Mapping?

After mapping the personal data your business collects, you can act on its results and use them to determine your obligations under the UK GDPR rules. Your data mapping exercise will help you establish the following factors: 

FactorAction
Determining who you collect personal data from. If you collect personal data from your customers and control that data, you will need to issue them with a Privacy Policy to explain how you use their personal details.
Determining your lawful basis.Understanding why you collect personal data will also help you consider the appropriate lawful basis for processing personal data. You will need to consider your processing activities for different data types and document your lawful basis accordingly.
Establishing data retention rules.If you find that you collect excessive personal data, which you do not require, you can take action to delete that data and develop a Data Retention Policy to establish rules around how long you should keep personal data.
Identifying whether you need to carry out risk assessments. Data mapping will help you identify whether you collect any high-risk or sensitive personal data and, if so, whether you need to conduct appropriate data protection impact assessments.
Complying with international data transfer law rules. Your data mapping will help establish whether you transfer any personal data outside of the United Kingdom. If so, you must ensure that any transfers comply with applicable international data transfer laws.

The UK GDPR regime is vast and complicated, and it is common for businesses to need to comply with several requirements. If you need support with understanding how the data you process affects your UK GDPR legal obligations, you can work with a data protection solicitor. 

A data protection solicitor can review your data mapping exercise results and advise you on what compliance actions your business will need to take. A data protection solicitor can also guide you on the data mapping process and what questions you need to consider for UK GDPR compliance. They can also help you prepare a data mapping template, which you can use for data mapping.

Data mapping should be updated and reviewed on a regular basis. For example, you should revisit your data flows when you start to collect new types of personal data or use personal data differently. 

Key Takeaways

Compliance with the UK GDPR is not a one-size-fits-all approach. As such, you must understand exactly what personal information your business processes and why. Your data mapping exercise is a critical first step to help you determine your legal obligations. Ultimately, what you need to do to comply with the UK GDPR will depend very much on which types of personal data you use and why. 

If you need legal advice on compliance with the UK GDPR, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Register for our free webinars

Preparing Your Business For Success in 2025

Online
Ensure your business gets off to a successful start in 2025. Register for our free webinar.
Register Now

2025 Employment Law Changes: What Businesses Should Know

Online
Ensure your business stays ahead of 2025 employment law changes. Register for our free webinar today.
Register Now

Buying a Tech or Online Business: What You Should Know

Online
Learn how to get the best deal when buying a tech or online business. Register for our free webinar.
Register Now

How the New Digital and Consumer Laws Impact Your Business

Online
Understand how the new digital and consumer laws affect your business. Register for our free webinar.
Register Now
See more webinars >
Sej Lamba

Sej Lamba

Sej is an Expert Legal Contributor at LegalVision. She is an experienced legal content writer who enjoys writing legal guides, blogs, and know-how tools for businesses. She studied History at University College London and then developed a passion for law, which inspired her to become a qualified lawyer.

Qualifications: Legal Practice Course, Kaplan Law School; Graduate Diploma in Law, Kaplan Law School; BA, History, University College.

Read all articles by Sej

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards