Short answer: A data mapping tool helps organisations identify, classify, and visualise personal data within their systems. This is essential for complying with the UK GDPR, as it provides a clear overview of what data is being processed, where it is stored, and how it flows through the organisation. By using a data mapping tool, organisations can manage compliance more effectively and minimise the risk of data breaches.
What is a data mapping tool?
A data mapping tool is software that helps you build a visual representation of the data you store, giving you a clear overview of how data moves through your organisation. Data mapping tools can also be used to find personal information in files, emails and images. In this blog you will find the answer to how a data mapping tool can help you locate your personal data and comply with privacy regulations.
Did you know that AI and automation have reduced the lifecycle of a data breach by 108 days in average?
- IBM Newsroom
How does a data mapping tool work?
This guide should provide an insight into the process of working with a data mapping tool and how it can be used to locate personal information. Our guide is based on our own data mapping tool, DataMapper.
When cleaning up with a data mapping tool, the task should be divided into two; there is the first part of the cleanup, which is about preparing the clean-up. This part is handled by an administrator. Next, there is the actual clean-up work, which is carried out by the individual employee. We recommend these 4 steps when cleaning up a data mapping tool:
1. Select data systems (admin)
2. Company scan (admin)
3. Limiting the cleanup (admin)
4. Cleanup (user)
Start your privacy cleanup with the big picture
A GDPR Risk report gives you a complete overview of the privacy risk in your company. The report is based on a scan with DataMapper.
Data mapping user guide
Step #1: Select data systems (admin)
Start by selecting the data systems where you suspect that you store sensitive data. These will typically be local disks, cloud solutions, mail client etc. Once the data systems have been selected, the admin initiates a scan of the entire company’s data.
Step #2: Global scan (admin)
After the initial company scan, the administrator should focus on getting an overview of the company’s sensitive data. Here we recommend that you follow these 4 steps:
- Files: Get an overview of your files with sensitive content; how many files with risk and how many with high risk have been found? Are there more or fewer than expected? Is there sensitive data stored in multiple locations? What types of files contain the most risky data? Are there any terms and categories that should be omitted or added?
- Data systems: In which computer system are most files found? Rate if this system is safe. Should you restrict access to this system to reduce risks?
- Employees: Which employees and departments have the largest amounts of sensitive data? Are there any work processes that should be changed?
- Cleanup plan: A clean-up plan should be drawn up, which should be aligned with your privacy policy. Determine, among other things, how long files are stored, where sensitive data must be stored, etc. Appoint the employee or employees who will be responsible for cleaning up the shared folders in your data systems. Also prepare a plan for how users will clean up; do they have to do the whole cleanup at once or do they have to do it in bits and pieces?
When you have gained certainty about the amount of personal data you have lying around, try to use this as a benchmark going forward and work your way down continuously.
Step #3: Limiting the cleanup (admin)
The next step for the administrator is to organise the clean-up in relation to the insight the business scan has provided. We often see that when a user scans their data, a lot of files with sensitive content come up. It can seem like an overwhelming task. Therefore, we recommend that you content yourself with a sample of all the data you have. This can be done in 3 ways:
- Terms: Decide which sensitive terms to search for and which to leave out. This can be particularly useful if there are many “false positives” in the results. A false positive is a file that has been scanned and contains sensitive content, but does not actually have sensitive content. It could, for example, be an email that says “No stress”. If there are other terms that are not normally considered sensitive, include them in the scan.
- Categories: Specify which sensitive categories to search for and which to exclude. This is useful if you only want to scan for politically sensitive information or do not want to scan for trade union information, for example.
- Filters: Implement filters for users. It may be that you want to start with all data in a specific data system, that you only want to focus on high-risk files, or that you only want to concentrate on files that are over 5 years old, etc.
Step #4: Cleanup (user)
After the administrator has gained an overview, the users must start cleaning up their data. The administrator sends the employees, who need to clean up their data, an invitation to DataMapper. Once the individual employee has registered and scanned his data, the employee can start the cleanup.
After the scan, the user gets a list of files in DataMapper that contain a GDPR risk. This risk can be either (normal) “Risk” or “High risk”. The user should review all scanned files. For each file, the user has 3 options; you can delete, move or approve the file.
- Keep: If you want to keep the file, you must mark it as “resolved”. You should approve the file if either:
– You understand and accept the risk
– The file is where it should be
– You still have a good reason to keep it - Move: If, on the other hand, you want to move the file, you must click on “go to document” to move, edit or delete it
- Delete: If you simply want to delete the file, you can also do this directly from within the data mapping tool.
We recommend proceeding like this:
- Start with high-risk files; See what sensitive content they have
- Delete old files
- Delete duplicates
- Move data into correct folders and data systems
- Approve all files that do not actually contain sensitive content
Be aware of this
After you have reviewed your results, start your cleanup.
- The rules of the GDPR do not specify a specific time frame for how long you may store data, but you should set an upper limit for how long you store data on others. Get it written into your privacy policies – and stick to them. Storing personal data for longer than what your privacy policy prescribes is generally a bad idea and is in breach of GDPR legislation in general.
- When you have emptied your trash on your computer, the files are finally deleted – and when you initiate a scan of your local drives, there should therefore be no results from this. If you are in doubt about how to set up automatic deletion, you can (in Outlook) use this guide: set up automatic deletion in Outlook.
- Keeping duplicates of the same files in multiple locations or inboxes will cause the red lights to flash. Be sure that the data you have left after going through it in a datamapping tool is stored in correct locations and unnecessary copies have been completely deleted. Then cleaning up in the future will also be much easier.
Want to know more about datamapping tools?
In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.
When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.
Use a data mapping tool to continuously improve
Using data mapping tools can show you a different and smarter way of handling personal data. Here are the top 5 improvements/changes we see companies make after using a data mapping tool:
- Employees have access to data only if they need it to do their jobs
- They disable mail synchronisation to prevent email attachments landing in personal folders
- They set up automatic email deletion, especially for emails with attachments
- They choose better data-sharing tools, as well as centralised data storage.
- From time to time, they check up on themselves with a new scan to make sure data stays neat, organised and protected.
FAQ about data mapping tools
What is a data mapping tool?
A data mapping tool is software that helps identify, classify, and visualise personal data within an organisation’s systems to support compliance with data protection regulations.
How does data mapping support GDPR compliance?
By providing a clear overview of what personal data is being processed, where it is located, and how it flows through the organisation — all of which are essential for complying with the GDPR.
Is data mapping only relevant for large organisations?
No, both small and large organisations can benefit from data mapping to ensure proper data management and compliance with data protection laws.
Is a data mapping tool right for you?
I hope this enlightened you on how a data mapping tool works. If you need to clean up your data, you should take a closer look at our data mapping tool DataMapper.
Read more
Sebastian Allerelli
Founder & COO at Safe Online
Sebastian is the co-founder and COO of Safe Online, where he focuses on automating processes and developing innovative solutions within data protection and compliance. With a background from Copenhagen Business Academy and experience within identity and access management, he has a keen understanding of GDPR and data security. As a writer on Safe Online's Knowledge Hub, Sebastian shares his expertise through practical advice and in-depth analysis that help companies navigate the complex GDPR landscape. His posts combine technical insight with business understanding and provide concrete solutions for effective compliance.
