GDPR Data Map

An easy to use self-assessment tool for understanding how data moves through your organisation

Free Download

The GDPR Data Map is a 100% free resource. You are free to use it however you wish providing you credit Ideea (Just a link will do!)

What is the GDPR Data map?

At present businesses do not have a structured method to understand what data falls under GDPR and how to handle it appropriately. To address this, Anthony Budd has created the GDPR Data Map, this self-assessment template tool will allow you to get a clear understanding of exactly what data your organisation is in possession of and how that data is moving through your organisation.

The Columns


In the first column titled ‘Source’ write the source of personal data into your organisation. This could be a contact form on your website or this could be an email marketing list from an extremal 3rd party. Remember if the source is not directly from the data subject (for example an email marketing list), you must ensure that this list was collected legally. Always refer to the 3rd-party’s T&C’s and privacy policy when in doubt.

Personal Data

The personal data column is for describing exactly what types of personal data you are collecting. It’s important to go into as much detail as possible. PII could be any of the following; physical address, phone number, email address, IP address, health information, criminal records, place of work etc.

Read More:


In the reason column justify your reasons for collecting this data. Explain exactly how and why the collection of this data is necessary for the organisation. For the avoidance of doubt, everything in this column should start with “We need this data because… ”.

Read More:


In the handling column, explain where the data will be stored. Data storage can be physical (printed documents), local (computer owned by organisation) or remote (on the cloud; Google Drive, AWS S3, CRM). Explain who this data will be exposed to both inside and outside of your organisation. If you are a data processor detail how and what processing you will be doing. Also list all security measures you have to protect the data.

Read More:


The Disposal column is for explaining how and when your organisation will dispose of the PII. All personal data should be deleted after a specified period of time but also special situations and events like a user deleting their account may result in the disposal of that user’s data.

Read More:


The flags section (last four columns) is for highlighting important information about the data. When reviewing this document pay special attention to these columns, these items will require extra attention in order to comply with GDPR.

Read More:

Consent Obtained 

In order to collect any PII the appropriate level of consent must be explicitly provided by the data subject. If this column is not ticked you should clearly justify your reasons for collecting this data in your T&C’s and privacy policy

Subject is a over 13

If the data subject is under the age of 13 (the age of consent can be up to 16 outside of the UK), put a tick in the column. If you are collecting and/or processing data of a person under the age of 13 consent must be obtained from a person holding “parental responsibility”.

Mission critical data

Tick this column if this data is considered mission critical. For the purpose of this tool, “mission critical” is defined as a piece of data that, if not collected or processed, the business could not operate. If this column is not ticked you should consider not collecting this data at all. Not collecting data demonstrates that you are implementing a privacy by design pattern.

Mission critical data

Under GDPR not all personal data is considered equal, some data is considered “sensitive personal data”. Examples of this kind of data would be racial or ethnic origin, political opinions, religious beliefs and physical or mental health conditions. Additional GDPR regulations will apply if you intend on storing or processing these kinds of sensitive personal data.