GDPR Data Mapping and Data Inventory Checklist

A DPO is mandatory if you are a public authority, if you carry out large-scale systematic monitoring of individuals, or if you process special category data at scale. If a DPO is required, their contact details must be published and registered with your lead supervisory authority. Even if not mandatory, consider appointing a DPO or privacy officer — their absence is noted by regulators during investigations.

Walk through each department — HR, Marketing, Sales, Finance, IT, Customer Support, Legal — and identify every process that touches personal data. Include back-office processes that may seem administrative (payroll, expense management, facility access control). The goal is a complete inventory before any documentation begins. Use discovery questionnaires, process interviews, and system scans.

For each processing activity, your RoPA must record: controller/DPO contact details, purposes of processing, categories of data subjects and personal data, categories of recipients, transfers to third countries and safeguards, retention periods, and security measures. Maintain separate RoPA sections for controller activities and processor activities. Use a structured format (spreadsheet or GRC tool) that can be exported for regulator review.

The six GDPR legal bases are: consent, contract performance, legal obligation, vital interests, public task, and legitimate interests. Document the specific legal basis for each processing activity before processing begins — you cannot switch legal bases retroactively. For legitimate interests, complete a Legitimate Interests Assessment (LIA) and retain it. Consent-based processing requires documented evidence of freely given, specific, informed, and unambiguous consent.

Create a data flow diagram for each significant business process. Show data collection points (web forms, APIs, third parties, HR systems), storage locations (databases, cloud services, physical records), internal transfers (between departments, to parent companies), and external transfers (to processors, joint controllers, third parties). Tools like Lucidchart, draw.io, or GRC platforms simplify this. The data flow diagram supplements your Article 30 RoPA.

Any vendor that processes personal data on your behalf (cloud providers, SaaS platforms, marketing tools, payroll processors, IT support) is a processor under GDPR and must have a signed Article 28 DPA. Maintain a processor register listing: vendor name, processing activity, data categories processed, data location, sub-processor list, and DPA reference. Review DPAs when vendor terms change.

Special category data (GDPR Article 9) — including health, biometric, racial/ethnic, political, religious, and sexual orientation data — requires one of ten specific processing conditions in addition to a legal basis. Criminal conviction data (Article 10) has separate restrictions. Create a data classification taxonomy and tag every data element in your inventory accordingly. Higher-risk data requires stronger safeguards.

GDPR requires data to be kept in a form that permits identification of data subjects for no longer than necessary (storage limitation principle). Document retention periods for each data category based on legal requirements, business need, and contractual obligations. Implement automated deletion or anonymization at the end of the retention period. Retention schedules must be published in privacy notices and reflected in your RoPA.

Transfers of personal data to countries outside the EEA require a transfer mechanism: adequacy decision (UK, Switzerland, Japan, etc.), Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or derogations. Post-Schrems II, SCCs must be accompanied by a Transfer Impact Assessment (TIA) evaluating the legal environment of the destination country. Map every transfer and document the mechanism and TIA.

The 2021 SCCs require a case-by-case assessment of the third country's legal framework, particularly surveillance laws and data subject rights. The TIA must consider: (1) transfer purpose and data categories; (2) relevant laws of the destination country; (3) practical experience with requests from public authorities; (4) supplementary measures if needed. Retain the TIA as evidence and review annually or when the legal framework changes.

Privacy notices must be concise, transparent, intelligible, and easily accessible. They must reflect your actual processing activities, legal bases, data categories, retention periods, and transfer mechanisms. After completing your data map, review every privacy notice (website, app, HR, cookie policy) and update any information that no longer accurately describes your processing. GDPR prohibits processing data for purposes not disclosed in the notice.

Data subjects have rights of access (Article 15), rectification (16), erasure (17), restriction (18), portability (20), and objection (21). Build documented workflows for each right, including: how requests are received and authenticated, who processes them, how systems are searched across your data map, what is excluded from disclosure, and how responses are formatted. Test workflows to confirm they can meet the one-month response deadline.

DPIAs are mandatory before processing likely to result in high risk to individuals — including large-scale processing of special category data, systematic profiling, processing of vulnerable data subjects, and novel use of new technologies. Maintain a list of processing activities that have undergone DPIA review, the DPIA outcome, and any residual risks accepted. DPIAs must be consulted with the DPO before processing begins.

Processors must maintain their own Article 30 RoPA and a register of sub-processors they engage. Article 28(2) requires processors to obtain written authorization before engaging a sub-processor. If operating under a DPA that provides for general authorization, you must notify controllers of sub-processor changes at least 30 days in advance and give them the right to object. Keep sub-processor registers current as cloud platforms add and change sub-processors.

Article 32 requires controllers and processors to implement appropriate security measures considering the state of the art, cost, and risk. For your data map, assign a security classification to each data category and document the technical measures (encryption, access controls, pseudonymization, audit logging) and organizational measures (access policies, training, background checks) in place. This security assessment feeds into both your RoPA and any DPIA.

Data mapping is not a one-time project. Personnel, systems, and business processes change continuously. Establish a data governance function with representatives from Legal/Privacy, IT Security, HR, Marketing, and Finance. Meet quarterly to review: new processing activities, vendor changes, data breach incidents, regulatory guidance updates, and RoPA amendments. Document meeting minutes as evidence of ongoing compliance.

Embed privacy-by-design into your SDLC: require a privacy assessment for any new system or feature that processes personal data before development begins. Add a privacy/data protection section to vendor procurement questionnaires that collects Article 30 information upfront. New vendors should not be onboarded until a DPA is executed and their processing activities are added to the RoPA.

If you use automated processing to make decisions that produce legal effects or significantly affect individuals (credit scoring, dynamic pricing, profile-based content filtering), additional requirements apply. You must disclose automated decision-making in privacy notices, allow data subjects to request human review, and implement measures to prevent discrimination. Document the logic involved, the significance, and the envisaged consequences.

Annual reviews should assess: new personal data collected since last review, changes to processing purposes, new vendors or changes to existing vendors, new cross-border transfers, expiry of transfer mechanisms, changes to retention schedules, and updates to supervisory authority guidance. Flag any processing activities that require a new DPIA due to material changes. Document the review and update the RoPA version history.

Article 30(4) requires controllers and processors to make the RoPA available to the supervisory authority on request. DPAs have found companies in violation for maintaining no RoPA, maintaining an inaccurate RoPA, or maintaining a RoPA that cannot be produced promptly. Conduct a mock RoPA request exercise annually: Can you produce a complete, accurate, exportable RoPA within 48 hours? If not, your documentation process needs improvement.