Skip to main content

Step 02 - Map Personal Data Flows

After identifying the gaps, the next step is to create a data map. This shows how personal data moves through your organization.

  • Customer data: What do you collect from customers (email, phone, address, Aadhaar, payment details)? Where is it stored (databases, cloud)? Who has access?
  • Employee data: Do you store resumes, bank details, or medical records? Who processes them — HR, payroll service providers, insurance partners?
  • Vendor data: What information do you keep about suppliers or contractors? Are their details shared with other third parties?

Mapping data flows is critical because DPDPA compliance requires that you know exactly what data you hold, why you hold it, and where it goes.

Example

A stock broking company may realize that customer trade histories are shared with third-party analytics vendors abroad. Under DPDPA, it must now check if such transfers are lawful and if those vendors offer adequate safeguards.

Critical Point

Without accurate data flow mapping, organizations cannot ensure lawfulness, accountability, or security of personal data. It is the foundation for breach response, cross-border compliance, and respecting Data Principal rights.