How to Map Personal Data
You cannot govern what you cannot see. Data mapping is usually the first moment a business discovers how much its real workflow differs from its assumptions.
Start with actual workflows, not policy documents. Map collection, storage, vendor access, retention assumptions, and request-handling impact in the same view.
Where to start
- Signup, onboarding, and checkout flows
- Lead-gen forms and marketing capture points
- Support tools, CRM systems, and lifecycle tools
- Analytics/event systems tied to identifiable users
- Any vendor or service provider touching those workflows
What to capture in the map
- System or workflow name
- Categories of data involved
- Why the data is collected or used
- Which team owns the workflow
- Which outside vendors/processors touch it
- What retention or deletion assumptions currently exist
Why this matters
Most downstream privacy work becomes much easier once the business can see where data lives, who touches it, and what changes would be needed for notice updates, vendor reviews, deletion requests, or suppression actions.
Common mistakes
- Only mapping the product database while ignoring CRM/support/marketing tools
- Ignoring exports, spreadsheets, and manual workflows
- Assuming vendors are known when teams actually cannot list them cleanly
- Failing to revisit the map after product or growth changes