The questions your data map should answer
- What personal data do we process?
- Which systems hold or process it?
- Which vendors or processors have access?
- Why do we process it?
- Which RoPA records, DPIAs and risks depend on it?
Data Mapping · the Article 30 feeder
See every system, vendor, recipient, purpose, transfer and retention period in one place — and let the map feed your RoPA, DPIAs and risk reviews instead of living beside them.
A working privacy inventory, not another diagram — grounded in the records your assessments and Article 30 register already use.

Data rarely sits in one place. Acompli helps privacy teams map the flow from collection to system, vendor, recipient, retention and deletion, with links back to the governance decisions and source evidence behind every published relationship.
Record systems, vendors, locations, and processing activities as part of normal assessment and governance work — or import them from existing registers.
Acompli supports structured intake of supplier and system information so organisations can build connected records within a governed structure. AI-assisted mapping helps interpret current layouts and propose likely matches.
Map inputs. Reviewable outputs.
Applications, repositories and storage locations that hold or process personal data.
Processors, recipients and suppliers linked to the flows they touch.
Geographic context linked to systems and suppliers for transfer visibility.
Personal-data and data-subject categories tied to each processing activity.
Retention periods and deletion expectations kept with the mapped flow.
Assessments, imports and reviewed records that explain why the node exists.
How the map is built
This explains where the map comes from: IT systems, vendors, locations and RoPA activities become graph objects with source IDs. AI can polish layout, but it cannot invent unsupported nodes.

Map to governance
A data map is useful when signals become work: third-country transfers, AI systems, processors handling special-category data and missing retention evidence route into the right follow-up.

Where the diagram comes from
Data Mapping doesn't ask you to redraw your estate in a diagramming tool. The map is derived from records you already maintain: third parties, IT systems, and processing locations in the shared knowledge base, plus RoPA processing activities approved through assessments. Flows link to the RoPA activity IDs that produced them; nodes carry provenance back to source records.
A rule-based engine owns the map's structure — what is on it, how it connects, and which boundaries cross borders. AI may only improve presentation from that snapshot; it cannot invent, remove, or rename nodes. Diagrams stay honest because the source of truth is the register, not a model output.
Key takeaways
See RoPA Governance — the source of the activities the map renders · See Third-Party Risk — the shared inventory of nodes.
Last reviewed: 24 June 2026
Data inventory answer
Privacy data mapping software keeps the inventory behind your Article 30 register alive. It records systems, vendors, data categories, data subjects, purposes, recipients, retention periods, transfers and safeguards in one connected map, so privacy teams can answer GDPR accountability questions from reviewed evidence rather than a stale diagram.
Acompli builds that map from the records your programme already maintains: processing activities, systems, vendors, locations, assessments and transfer context. The data map becomes a feeder for RoPA, DPIAs and third-party risk rather than a parallel file somebody has to reconcile by hand.
Acompli helps privacy teams map the flow from collection to system, vendor, recipient, retention and deletion so third-party access, transfer risk, DPIA triggers and records that need review are easier to see.
GDPR data mapping software should track the fields that keep an Article 30 RoPA accurate: the activity, purpose, data subjects, personal-data categories, recipients, transfers, retention, safeguards, systems and the source evidence behind each flow. The GDPR does not name a data map as a separate statutory artefact, but the map is the evidence layer that keeps Article 30 records current and makes data-flow mapping useful to the DPC or ICO.
| Data-map field | Why it matters | Legal / audit anchor | Acompli record |
|---|---|---|---|
| Processing activity and purpose | Shows why personal data is processed and which business activity owns the flow. | GDPR Article 30(1)(b); DPC Article 30 accountability guidance. | Linked to the RoPA processing activity ID and reviewed purpose. |
| Data subjects and personal-data categories | Records whose data is involved and what categories of personal data are in scope. | GDPR Article 30(1)(c); ICO Article 30 documentation fields. | Stored on the connected activity, assessment and map node. |
| Systems, assets and storage locations | Identifies where the data lives, how it is stored and which systems the map depends on. | ICO audit framework: inventory, asset register and data-flow mapping expectations. | Systems and locations in the shared knowledge base feed the map. |
| Recipients, vendors and processors | Shows who receives or accesses the data, including processors and downstream recipients. | GDPR Article 30(1)(d) and Article 28 processor governance. | Recipient and processor nodes stay linked to third-party risk records. |
| International transfers and safeguards | Surfaces flows leaving the EEA or UK and the mechanism behind each transfer. | GDPR Article 30(1)(e), Chapter V and EDPB Recommendations 01/2020 after Schrems II. | Each cross-border route carries destination, mechanism and linked TIA context. |
| Retention and deletion | Keeps the map tied to how long data is retained and when it should be removed. | GDPR Article 30(1)(f); ICO retention schedule documentation. | Retention fields remain connected to lifecycle and review workflows. |
| Security measures | Explains the technical and organisational measures protecting the mapped processing. | GDPR Article 30(1)(g) and Article 32 security of processing. | Security context is held as supporting evidence, not inferred by the diagram. |
| Owner, source and review history | Shows who approved the field, where it came from and when it was last checked. | GDPR Article 5(2) accountability; ICO expectation that RoPA/data maps are reviewed and kept accurate. | Every node and flow traces back to a source record with named review history. |
Primary anchors: DPC Article 30 guidance · ICO Article 30 documentation fields · GDPR Article 30 text · EDPB Recommendations 01/2020.
Which tool
“Data mapping” means very different things. Moving data between systems (ETL) and cataloguing a warehouse are different jobs from mapping personal data for GDPR Article 30 — the right tool depends on which one you actually need.
| Type of tool | Best for | What it does | Watch-out |
|---|---|---|---|
| ETL / data-integration mapping | Engineering teams moving data between systems | Builds pipelines and maps fields from source to destination | A different job — it moves data, it does not evidence GDPR Article 30 processing or feed a RoPA |
| Data catalog / discovery platform | Large data teams cataloguing warehouses and lakes | Classifies and catalogues data assets at scale | Built for data governance and analytics, not the Article 30 record or the DPIA evidence trail |
| Privacy data mapping tool | Privacy teams building a GDPR data map | Inventories personal data and maps flows for Article 30 | Often a standalone map, separate from where the RoPA, DPIAs and risk records actually live |
| Privacy-platform-integrated data mapping (where Acompli sits) | Privacy teams who need the map to feed the RoPA, DPIAs and risk | A generated map of systems, vendors and transfers, human-reviewed, with each node traced to a source record | A privacy and governance tool, not an ETL or data-catalog engine |
Data mapping FAQ
Privacy data mapping software inventories personal data and maps how it moves across systems, vendors, recipients, purposes, retention and transfers. In Acompli the map is built from reviewed records rather than a one-off workshop: systems, suppliers and processing context stay connected, so the map updates as the business changes instead of expiring in a diagram.
GDPR data mapping software keeps the accountability evidence behind your Article 30 register: which systems hold personal data, which vendors receive it, why it is processed, how long it is kept and where it crosses borders. Acompli feeds those facts straight into RoPA records and assessments without re-keying, with transfers flagged for Schrems II safeguards.
Each Article 30 record needs purposes, categories, recipients, transfers and retention - exactly what the data map holds. In Acompli the map is the feeder: processing activities link to the mapped systems and vendors behind them, so when the map changes, the affected register entries surface for review instead of silently going stale.
A DPIA starts with an accurate description of the processing - what data, which systems, which vendors, where it flows. Acompli pulls that description from the live map, so assessments begin from reviewed facts; and where a flow crosses borders, the transfer is flagged for Schrems II analysis inside the assessment.
No. The data map is the evidence layer - systems, flows and inventory; the RoPA is the legal register of processing activities under Article 30 that the DPC and ICO inspect. In Acompli they stay linked: the map feeds the register, and each register entry can show the mapped systems and vendors behind it.
The map should feed the Article 30 RoPA without re-keying, stay current as systems and vendors change, and make cross-border flows explicit. In Acompli the map is derived from reviewed records in the shared knowledge base, so it is not a parallel diagram that has to be maintained by hand.
There is no standalone 'data map' article, but Article 30 GDPR — applied in Ireland (enforced by the Data Protection Commission) and mirrored in the UK GDPR / Data Protection Act 2018 (enforced by the ICO) — requires controllers and processors to maintain accurate records of processing, and a data map is how those records stay accurate. A stale map yields a stale Article 30 record. Acompli derives the map from the same register that produces your RoPA, so the two cannot diverge.
It should surface every flow that leaves the EEA, the destination country, and the transfer mechanism (Standard Contractual Clauses, an adequacy decision, or a derogation), and link each to the Article 30 record and its Transfer Impact Assessment. Acompli groups recipients in third countries into explicit trust boundaries on the diagram, supporting GDPR Chapter V transfer governance with a regulator-ready visual. This operationalises the CJEU's Schrems II ruling (Case C-311/18), and it matters in Ireland in particular, where the DPC is lead supervisory authority for many large US-headquartered processors.
Because the map is derived from the records that already govern your estate — knowledge-base entities plus approved RoPA activities — so updates happen as part of normal review rather than a separate clean-up exercise. A deterministic engine owns the topology (what is on the map and how it connects); AI may only improve presentation and cannot invent, remove or rename nodes, so the diagram stays tied to the register.
No — mapping, the Article 30 RoPA, and DPIAs serve different purposes, and Acompli keeps them connected so you can move from a flow on the map to the right record, assessment or risk entry without re-keying. Each flow references the RoPA activity ID that produced it, and nodes carry provenance back to source records.
Mapping where personal data flows into AI and automated-decision systems lets a team check those systems against the EU AI Act's Annex III high-risk categories. When Acompli's Code Scan surfaces AI usage in a connected repository and a DPO confirms the findings, the confirmed entries are written into the data map alongside the records-driven nodes, so the AI footprint is visible. Classification against Annex III is a human decision; Code Scan produces reviewable signals, not determinations.
Yes. Existing system, vendor and location records can be imported into the shared knowledge base, and the map is generated from them — so you do not start from a blank diagram. Imported items remain reviewable, and the platform keeps enriching them as new assessments and records are approved.
The best data mapping software is decided less by how the diagram looks than by whether the map is derived from your Article 30 records rather than redrawn by hand, whether each flow shows its cross-border transfer mechanism, and whether every node traces back to a source record a DPC or ICO inspection can follow. Acompli's angle is to govern these as connected, human-approved records tied to the wider GDPR and EU AI Act programme, each traceable to approved evidence rather than a standalone diagram. For a balanced, unbiased comparison of the available suppliers - evidence-based, drawn from public sources, and honest about where competitors are stronger than Acompli - we have compiled capability charts and vendor-by-vendor breakdowns for you to consider in our full comparison library.
Maintain a living view of flows, transfers, and dependencies with governance built in. Keep systems, suppliers, locations, data categories and source evidence connected.