In order to fully appreciate the scope of the GDPR and your duties in relation to it, it is essential to understand the personal data you are collecting and that you already hold. This is especially important for DPIAs, for the simple reason that a DPIA relies on having a comprehensive understanding of the data lifecycle.

There’s no explicit requirement for data mapping in the Regulation, but it would be extraordinarily difficult to meet all of the GDPR’s requirements without establishing the lifecycle of personal data in your organisation. In particular, Article 30’s requirement for a record of processing activities could be nearly impossible to meet without some sort of data mapping process.

Data mapping is generally ...

Get EU General Data Protection Regulation (GDPR), third edition - An Implementation and Compliance Guide now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.