Step 1: Mapping data flows

Key considerations

How data flows into, around and out of your organisation

The first stage is focused on compiling an accurate and comprehensive record of the personal data your business uses. You need to understand what personal data you hold, the types of individuals you hold data on, and how the data comes in, moves around and ultimately goes out of the business. To make the mapping exercise more manageable, break data down into classes of individual and types of data you hold on them. Then for each of those categories consider how you collect it (IN), what you use it for and where you store it (AROUND) and how it leaves the business (OUT).

Internal engagement

This is a detailed process which needs input across the business. Involvement from your HR, finance, marketing and IT teams will be essential. All areas of your business will use personal data in some form, and ensuring that all of them are included in the process will help ensure that nothing is missed.


How Cripps Pemberton Greenish can help

Cripps Pemberton Greenish has worked with several large organisations on their approach to GDPR across various sectors. We can advise you on the questions you need to ask internally and how to structure your approach so that you can carry out a comprehensive data audit. For example, when thinking about how your data is stored, have you considered how will you identify what is being kept on local drives, in hard copy or on mobile devices?


Click here for Step 2: Audit