- GDPR Article 30: organisations must maintain a Record of Processing Activities (RoPA) — essentially a data map
- A data map documents: what data you hold, where, why, who can access it, how long you keep it
- Start with your highest-risk data first (client data, health data, financial records)
- It is a living document — update it whenever systems or processes change
Personal data mapping — also called a data inventory or data flow mapping — is the process of systematically identifying all personal data in your organisation: what it is, where it lives, how it flows, who has access, and how long you keep it. Under GDPR Article 30, most organisations are required to document this in a Record of Processing Activities (RoPA).
Beyond compliance, a data map is operationally valuable. When a data breach occurs, you need to know exactly which data is affected. When a DSAR arrives, you need to know where to search. When you deploy a new system, you need to know what data it will touch. A maintained data inventory answers all of these questions quickly.
Related HubSecure buying path
Compliance CRM guidecompliance CRM for growing companiesCRM moduleHubSpot comparisoncompliance CRM guideGuide Librarybook a workflow demo
Related security, privacy and governance resources
Continue with HubSecure security and trust center, data processing agreement, subprocessors, compliance workflows, governed AI operator.
Related use case
This guide belongs to the Workspace Alternatives and Tool Consolidation Guides cluster. Continue with the product hub for workspace alternatives and tool consolidation.
What your data map must capture
At minimum, your RoPA under Article 30 must include:
- Name and contact details of the controller (and DPO if applicable)
- Purposes of each processing activity
- Categories of data subjects (clients, employees, prospects, etc.)
- Categories of personal data (names, contact details, financial data, health data, etc.)
- Categories of recipients (who receives or accesses the data)
- Transfers to third countries (outside the EEA) and safeguards applied
- Retention periods or criteria for deletion
- Description of security measures (at a general level)
How to build your data map
Step 1: Identify your processing activities
Start by listing all the things you do with personal data. For a professional services firm, this typically includes: client onboarding and KYC, service delivery and matter management, billing and invoicing, marketing communications, HR and payroll, supplier management, IT access management, CCTV.
Step 2: Interview the data owners
For each department or function, talk to the people who actually use the data day to day. They know which systems they use, what information they collect, and with whom they share it. IT, HR, finance, compliance, and client-facing teams all need to be included.
Step 3: Identify all systems
List every application, system, or storage location that holds personal data. Include:
- CRM and case management systems
- Email platforms
- Document management and cloud storage
- HR and payroll systems
- Accounting platforms
- Marketing automation tools
- Video conferencing platforms (if they store recordings)
- Physical files and paper records
- Backup systems
Step 4: Map data flows
For each processing activity, trace the flow of data: where does it come from, what happens to it, where does it go, who has access at each stage. This reveals third-party processors, international transfers, and access control gaps that may not be obvious from system lists alone.
Step 5: Assign lawful basis and retention periods
For each processing activity, document the GDPR lawful basis and the retention period. This is where your data map connects to your broader compliance documentation — privacy notices, retention schedules, and DPAs.
Practical shortcut: Start with your client data — it is almost certainly your highest volume and highest risk. Get that mapped completely before tackling lower-risk processing activities. A partial, maintained data map is far more valuable than a comprehensive one that is immediately out of date.
Maintaining your data map
A data map that is not maintained becomes a compliance liability rather than an asset. Build a review process:
- Review the full data map at least annually
- Trigger an update whenever a new system is deployed, a new vendor is engaged, or a process changes significantly
- Assign ownership — a named individual or team responsible for keeping the map current
- Version control — keep a record of when changes were made and why
Does the Article 30 RoPA exemption for SMEs apply to regulated businesses?
Article 30(5) exempts organisations with fewer than 250 employees from the RoPA requirement — unless the processing poses a risk to individuals' rights and freedoms, the processing is not occasional, or it includes special category data. Regulated businesses (AML-obliged entities, financial services, healthcare) almost always fall outside the exemption.
Can supervisory authorities request our data map?
Yes. The RoPA must be made available to supervisory authorities on request under Article 30(4). Regulators routinely review data maps during audits and investigations.
All your client data, mapped and governed
HubSecure CRM and Vault keep personal data in a single governed workspace — so your data map stays accurate and your DSAR responses are fast.
Book a demoReviewed for regulated teams
Prepared by the HubSecure editorial team for operators, compliance leaders and IT reviewers evaluating secure client operations software.