CDMP Fundamentals • 100 Questions • 90 Minutes
← Back to GDPR Compliance
🗺 Phase 1 4-6 weeks

Phase 1: Data Mapping & Processing Inventory (Article 30)

Build the comprehensive Record of Processing Activities (ROPA) required by Article 30. This is the backbone of GDPR compliance — you cannot comply with most GDPR requirements if you do not know what data you have, where it is, and why you have it. This phase involves detailed data discovery, classification, and flow mapping across all systems and processes.

🎯 Objectives

  • Create a complete Article 30 Record of Processing Activities (ROPA)
  • Map all personal data flows within and outside the organization
  • Classify all personal data by category and sensitivity level
  • Identify and document the lawful basis for each processing activity
  • Identify all cross-border data transfers and their legal mechanisms

Detailed Data Discovery and Classification

Systematically discover all personal data across all systems: databases, file shares, email, cloud services, paper records, CCTV, building access systems, vehicle tracking, call recordings, and any other medium. Classify data into categories (identity data, contact data, financial data, special category data, etc.) and tag sensitivity levels.

🎓 Beginner's Note

Data discovery is often eye-opening. Organizations typically find personal data in 2-3x more places than they expected. Test and development databases often contain copies of production personal data. Application logs may contain IP addresses, user IDs, or even full request payloads with personal data.

💡 Consultant Tips

  • Use automated data discovery tools where possible (Informatica, OneTrust, BigID, Microsoft Purview)
  • Do not forget unstructured data: email, documents, chat logs, shared drives
  • Check for personal data in unexpected places: application logs, error messages, test/dev databases, analytics platforms
  • Interview data engineers and DBAs — they know the data landscape better than anyone

Build the Article 30 ROPA

Create the formal Record of Processing Activities. For EACH processing activity, document: (1) Purpose of processing, (2) Categories of data subjects, (3) Categories of personal data, (4) Recipients/categories of recipients, (5) International transfers and safeguards, (6) Retention periods, (7) Technical and organizational security measures, (8) Lawful basis. For processors, also document: processing activities carried out on behalf of each controller.

🎓 Beginner's Note

The ROPA is required by Article 30 for any organization with 250+ employees, OR any organization that processes data that is not occasional, that could result in risk to individuals, or that includes special category data. In practice, nearly every organization needs one. Think of the ROPA as the master catalog of all personal data processing.

💡 Consultant Tips

  • Use a tool or detailed spreadsheet — the ROPA will grow over time and needs to be maintainable
  • Organize by business process or department, not by system — people think in processes, not databases
  • Include both automated and manual processing activities
  • Make one person per department the ROPA owner responsible for keeping it up to date
  • The ICO (UK) and CNIL (France) both publish excellent ROPA templates

Data Flow Mapping

Create visual data flow diagrams showing how personal data moves through the organization: from collection points through internal systems to third parties. Map both internal flows (between departments and systems) and external flows (to/from vendors, partners, regulators, and across borders).

🎓 Beginner's Note

Data flow maps are incredibly valuable beyond GDPR. They help identify redundant data copies, security risks, and integration issues. When you map flows, you often discover that data takes unexpected detours — through personal email, USB drives, or unauthorized cloud services. These are your biggest risks.

💡 Consultant Tips

  • Use simple diagrams — boxes for systems/entities, arrows for data flows, color-coding for sensitivity
  • Highlight cross-border transfers (they need special legal mechanisms)
  • Identify single points of failure and high-risk data concentrations
  • Tools like Lucidchart, draw.io, or OneTrust can help create and maintain data flow maps

Lawful Basis Mapping

For each processing activity in the ROPA, determine and document the appropriate lawful basis under Article 6. If processing special category data, also identify the Article 9 condition. If processing criminal offense data, identify the Article 10 basis. Create a lawful basis register.

🎓 Beginner's Note

Lawful basis mapping is where theory meets reality. For each entry in your ROPA, you must pick one (and only one) of the six lawful bases. This is not just paperwork — if you choose wrong, the processing is unlawful. Common mappings: HR processing employee data = legal obligation + contract. Marketing emails = consent. Fraud prevention = legitimate interests. Order fulfillment = contract.

💡 Consultant Tips

  • Work with the legal team — lawful basis selection has legal implications
  • Use the ICO Lawful Basis Interactive Guidance Tool as a reference
  • Do not default to consent for everything — consider legitimate interests, contract, and legal obligation first
  • For each processing activity, document WHY you chose that specific basis
  • If you cannot identify a lawful basis, the processing must stop until one is established

Retention Period Analysis

Define and document retention periods for each category of personal data. Data must not be kept longer than necessary for its purpose. Consider legal, regulatory, contractual, and operational requirements. Create a data retention schedule and identify data that is currently being kept beyond its justified retention period.

🎓 Beginner's Note

Many organizations never delete anything — they keep data forever 'just in case.' GDPR requires storage limitation: you can only keep personal data for as long as necessary for its purpose. Creating a retention schedule forces hard conversations about why data is being kept. If nobody can articulate a reason, it should probably be deleted.

💡 Consultant Tips

  • Research regulatory retention requirements first (tax: 7 years, employment: varies by jurisdiction, medical: varies widely)
  • For data with no legal retention requirement, define a reasonable business retention period and document the justification
  • Identify 'legacy data' that has no current purpose and should be archived or deleted
  • Consider creating tiers: active use, archive (restricted access), and deletion

📦 Phase Deliverables

Complete Article 30 Record of Processing Activities (ROPA)
Personal Data Classification Inventory
Data Flow Diagrams (internal and external)
Lawful Basis Register (mapping each processing activity to its legal basis)
Data Retention Schedule (with justifications for each retention period)
Cross-Border Transfer Register (all international data flows with legal mechanisms)
Data Discovery Report (unexpected findings, shadow data, recommendations)
← Back to GDPR Compliance