GDPR7 min read

Data Mapping and ROPA: Know What Data You Have

Data mapping forms the foundation of GDPR compliance. Without a clear picture of what personal data you hold and where it resides, protecting that data and responding to data subject requests becomes significantly more challenging. The Record of Processing Activities (ROPA) provides the formal documentation of your data processing activities.

Key Takeaways

Point Summary
Data mapping Identify all personal data: what, where, how it flows, why you have it
ROPA Record of Processing Activities - formal documentation required by Article 30
Required for 250+ employees Smaller companies must still maintain ROPA if processing is high-risk or non-occasional
ROPA contents Purposes, data categories, recipients, transfers, retention, security measures
Foundation for compliance Enables DSARs, breach response, and demonstrating accountability

Quick Answer: Data mapping identifies all personal data in your organization. ROPA (Record of Processing Activities) documents this formally. Required for companies with 250+ employees, or any company processing high-risk data. Essential for responding to data subject requests.

What is Data Mapping?

Data mapping is the process of identifying and documenting all personal data in your organization:

What Data:

  • Categories of personal data
  • Special category data
  • Data sensitivity levels

Where Data Lives:

  • Databases and systems
  • Third-party services
  • Physical locations
  • Backups and archives

How Data Flows:

  • Collection points
  • Internal transfers
  • External sharing
  • International transfers

Why Data Exists:

  • Processing purposes
  • Legal basis
  • Business justification

Why Data Mapping Matters

Purpose Benefit
DSAR Response Know where to find all user data
Deletion Requests Ensure complete erasure
Security Protect data where it lives
Risk Assessment Identify high-risk processing
Policy Accuracy Privacy policy reflects reality
Audit Readiness Evidence of compliance efforts

Data Mapping Process

Step 1: Inventory Your Systems

List every system that processes personal data:

System Type Examples
Core Product Main application database, user accounts
Marketing CRM, email platform, analytics
Sales Lead databases, contract management
Support Help desk, chat tools
HR Employee records, payroll
Finance Billing, accounting software
Development Logs, debugging tools
Third Parties SaaS tools, APIs, integrations

Step 2: Identify Data Categories

For each system, document data types:

Category Examples
Identity Name, username, photo
Contact Email, phone, address
Financial Payment info, transaction history
Technical IP address, device ID, cookies
Usage Activity logs, preferences
Content Messages, uploads, comments
Special Category Health, religion, biometrics

Step 3: Map Data Flows

Document how data moves:

Collection Sources:

  • Web forms
  • Mobile app
  • API integrations
  • Third-party imports
  • Manual entry

Internal Processing:

  • Primary database
  • Analytics processing
  • Backup systems
  • Development environments
  • Employee access

External Sharing:

  • Payment processor
  • Email service
  • Analytics provider
  • Cloud infrastructure
  • Business partners

Output Points:

  • User exports
  • API responses
  • Reports
  • Data deletions

Step 4: Document Legal Basis

For each processing activity, identify the legal basis:

Processing Activity Legal Basis
Account creation Contract
Service delivery Contract
Payment processing Contract
Marketing emails Consent
Analytics Legitimate Interests
Security monitoring Legitimate Interests
Legal compliance Legal Obligation

Record of Processing Activities (ROPA)

ROPA is a formal GDPR requirement documenting all processing activities.

Who Needs a ROPA?

Organizations with 250+ employees: Always required

Organizations with fewer than 250 employees: The exemption is lost if ANY ONE of the following applies (per Article 30(5)):

Condition Description
(a) Risk to rights and freedoms Processing is likely to result in a risk to the rights and freedoms of data subjects
(b) Not occasional Processing is regular or ongoing rather than one-off
(c) Special category data Processing includes data revealing racial/ethnic origin, political opinions, religious beliefs, health data, biometrics, etc.
(d) Criminal conviction data Processing includes personal data relating to criminal convictions and offences

Important: These conditions are disjunctive (OR)—meeting just one means ROPA is required. You do not need to meet all conditions.

Practical reality: Most startups need a ROPA because their processing is regular (not occasional), which alone triggers the requirement.

ROPA Requirements for Controllers

Field Description
Controller Name Your company name and contact
Joint Controller If applicable, other controllers
DPO Contact If you have a DPO
Processing Purposes Why you process data
Data Subject Categories Users, employees, etc.
Personal Data Categories Types of data processed
Recipient Categories Who receives data
International Transfers Countries and safeguards
Retention Periods How long data is kept
Security Measures Technical and organizational

ROPA Template

Record of Processing Activities
────────────────────────────────────────────────────────

Processing Activity: User Account Management
────────────────────────────────────────────

Controller: [Your Company Name]
Contact: privacy@yourcompany.com
DPO: [If applicable]

Purpose:
Managing user accounts and providing access to services

Categories of Data Subjects:
- Registered users
- Trial users

Categories of Personal Data:
- Name
- Email address
- Password (hashed)
- Account preferences
- Usage history

Legal Basis: Contract

Recipients:
- Internal: Customer support team, engineering team
- External: AWS (hosting), Auth0 (authentication)

International Transfers:
- AWS US-East region
- Safeguard: Standard Contractual Clauses

Retention Period:
- Active accounts: Duration of account
- Closed accounts: 30 days then deleted
- Audit logs: 12 months

Security Measures:
- Encryption at rest and in transit
- Access controls and MFA
- Regular security assessments

Data Mapping Tools and Techniques

Manual Approach (Small Teams)

Tool Use Case
Spreadsheet Simple data inventory
Diagrams Data flow visualization
Questionnaires Gather info from team members
System Audits Technical inventory

Automated Approach (Growing Teams)

Tool Type Capability
Data Discovery Scan systems for personal data
Classification Automatically categorize data
Flow Mapping Track data movement
Compliance Platforms Integrated ROPA management

Maintaining Your Data Map

Regular Reviews

Frequency Activity
Monthly Check for new systems/tools
Quarterly Review data flows
Annually Full data mapping refresh
As Needed After significant changes

Triggers for Updates

  • New product features collecting data
  • New third-party integrations
  • New employee systems
  • Mergers or acquisitions
  • Geographic expansion
  • New processing purposes

Change Management

Proposed Change:

  • What data will be processed?
  • Why is this processing needed?
  • Where will data be stored/processed?
  • Who will have access?

Assessment:

  • Is this a new processing activity?
  • Does it change existing processing?
  • Is a DPIA required?
  • Privacy policy update needed?

Implementation:

  • Update ROPA
  • Update privacy policy if needed
  • Implement security measures
  • Train relevant staff
  • Document the change

Review:

  • Verify implementation
  • Check documentation accuracy
  • Monitor for issues

Common Data Mapping Challenges

Challenge 1: Shadow IT

Problem: Employees using unauthorized tools
Solution: Regular audits, clear policies, easy approval process

Challenge 2: Legacy Systems

Problem: Old systems with unclear data
Solution: Systematic audit, plan for migration or documentation

Challenge 3: Third-Party Data

Problem: Uncertain what vendors do with data
Solution: Review contracts, send questionnaires, require DPAs

Challenge 4: Unstructured Data

Problem: Personal data in emails, documents, etc.
Solution: Policies for data handling, regular cleanup

Challenge 5: Keeping Current

Problem: Map becomes outdated quickly
Solution: Integrate updates into change management process

Data Mapping Checklist

Systems Inventory:

  • All production systems listed
  • Development/test environments included
  • Third-party services documented
  • Internal tools inventoried
  • Physical/paper records considered

Data Categories:

  • All personal data types identified
  • Special category data flagged
  • Sensitive data highlighted
  • Data sources documented

Data Flows:

  • Collection points mapped
  • Internal processing documented
  • External sharing identified
  • International transfers noted

ROPA:

  • All processing activities recorded
  • Legal basis documented
  • Retention periods specified
  • Security measures described

How Bastion Helps

Data mapping can be complex, particularly for organizations with data spread across multiple systems and vendors. Working with experienced partners helps ensure thorough coverage without overwhelming your team.

Challenge How We Help
Initial Mapping Guided data discovery process that systematically identifies data across your systems
ROPA Creation Proven templates and efficient workflows for documentation
Ongoing Maintenance Processes for keeping your data map current as your business evolves
Third-Party Assessment Vendor questionnaires and tracking for processor data flows
Documentation Audit-ready records that demonstrate accountability

Having additional expertise helps with the heavy lifting of initial data mapping and ensures nothing is missed—avoiding the gaps that often surface during audits or when responding to data subject requests.

Looking for help with data mapping and ROPA documentation? Talk to our team →

← PreviousGDPR Privacy Policies: What You Must DiscloseNext →Data Protection Officer: Do You Need One?
Back to GDPR guides