Five myths about data mapping busted

Data flows are becoming more complex by the day and mapping how data travels through an organisation can be daunting. Here’s how to get started

By Emma Sheppard


May 2023

Businesses of all sizes are collecting more data today than ever before. It allows businesses to personalise the customer experience, make decisions about new products and services, and track sales. But getting a handle on what data you hold and for what purpose, where it’s located, how long you keep it for and what you do with it when it’s no longer needed … that can feel like a daunting prospect. 

Here are five myths about data mapping to help businesses tackle the process. 

Myth no. 1 – it’s a job for IT

Data mapping should capture all of the data processing activities throughout the organisation, so should involve every function, department and office. Get a task force together and ask a representative from each team to share how and why they use personal data, how much of it they have, and how they move it around. Don’t fall into the trap of thinking this is just for IT. One of the challenges of data mapping is that personal data can be stored everywhere – including on paper. If this is an IT-led endeavour, it’s highly likely that you will miss something. Plus, mapping data flows enables people in your organisation to understand the personal information they hold. It encourages them to care about it. And to do their part to protect it. Read more in our blog about how to map your data flows.

Myth no. 2 – it’s only a list of data categories

Of course data mapping isn’t just a long bulleted list of the different types of data your business collects. It’s a systematic review that also includes the retention schedule, purpose of processing, recipients, and other details to meet compliance requirements. It should also capture who is responsible for that data and who else outside of the organisation touches it. It’s also an opportunity to ask questions and give feedback. Is there anything that doesn’t make sense? Make it visual with flow charts so that everyone can understand, and keep it consistent with the same format. Google Slides, Photoshop and other specialist packages can help here. 

If you want more practical content like this article, please click below to sign up for our monthly newsletter.

Sign up now

Myth no. 3 – it’s just the data you’re managing internally

Companies aren’t just processing more data than they used to. They’re exchanging more data too. Adding a new application or supplier to the process – whether for marketing, sales or HR – will increase the complexity of the data map. There may also be examples of data “floating” that no one seems to own, or without much documentation as to its origins, why it’s needed or who’s responsible for it. There may also be various functions – such as the sales and marketing teams – using this data without knowledge of the other, or the legal basis under which that processing can occur. Be prepared for data mapping to throw up some problems and adjust processes accordingly. It’s also an opportunity to embrace data minimisation, collecting only necessary, relevant and up-to-date information. 

Myth no. 4 – once it’s done, it’s done

Data maps themselves need to be kept up to date. As you develop new products and processes, and take on different suppliers, your data flows will change. You need a process in place to capture these changes and record them, amending your notices as necessary. Almost half (46%) of privacy professionals say locating unstructured personal data is the most challenging issue of fulfilling subject access requests. So make sure you keep the labelling consistent as you go, capturing the data flowing through the business from a variety of channels. 

Answer our GDPR compliance checklist questions and we will email you an objective, personalised audit report within minutes, completely free of charge.

Get your audit

Myth no. 5 – it’s just about the GDPR

Keeping an up-to-date record of all data processing activities is at the heart of the GDPR (see our blog: how to create an Article 30 record) . But it also makes data more accessible and structured, while reducing data redundancies. That provides opportunities for more reliable data analysis. Once you understand the data you collect, with whom you share it, and where it flows, it’s time to make some strategic decisions. Now, you can better determine how to use your data to develop and grow your product. It’s much more than just a compliance function. It forms the very core of an organisation’s data strategy.

More to watch and read