Build your data map

The ICO requires your organisation to carry out information audits (or data mapping exercises) to find out what personal data is held and understand how the information flows through your organisation.

You must keep your data map up to date and assign the responsibilities for maintaining and amending it.

Consult your staff to make sure that it is an accurate picture of processing activities, for example, by using questionnaires and staff surveys.


Generate your data map automatically makes data mapping straightforward. Based on the answers you’ve previously given can generate a data map for you. Just press the pink “Build” button. 


When you've generated your data map, we recommended you review the data map processes manually. You can do this by selecting the “Build your data map” task.


Keeping your data map up to date

You are required to keep your data map up to date. has built-in processes to help you. 

PORT schedules data reviews once every quarter of a year. These reviews help you to identify any changes to your data processing that you may need to document. The review also updates your data map and privacy documentation automatically. 


  • To remain compliant, you should never carry out a new processing activity until you have reviewed it and made sure it fits in with your current purposes for processing. If you are processing data for a new purpose or the data processing is high risk in nature, you should carry out a Data Protection Impact Assessment (DPIA). The assessment will identify the risks. You can then implement any risk mitigation actions deemed necessary in advance of carrying out the new processing activity. 
  • If the processing is sufficiently safe to carry out, you must update your privacy information and update the individuals it applies to before engaging in the data processing activity.
  • Invite your team members to add data processes and third parties that they intend to use to the data map.
  • Your updates and changes will be listed as staged changes pending review.
  • Review the changes and carry out the necessary DPIA’s.
  • Don’t publish your new policies or carry out the data processing activities until you are confident that the data map reflects all your data processing activities.
  • You can then publish your updated version of your privacy policies and privacy centre.  

Manually build your data map from scratch.

You may wish to build a data map from scratch based on your existing policy documentation. 

To build your data map, click the pink and white “Build manually” button.