Ask any privacy professional what separates a PIMS that holds up under audit from one that falls apart, and the answer will almost always involve data flow mapping. Not because data mapping is the most glamorous part of privacy management — it is not. But because everything that follows — risk assessment, control selection, policy design, consent management, data subject rights — depends on having an accurate picture of what personal data your organisation actually processes, where it lives, and how it moves.
Most organisations have something they call a data flow map. Far fewer have one that is accurate, complete, and maintained. This post gives you a practical framework for building and sustaining one that is all three.
What a Data Flow Map Actually Needs to Capture
A data flow map for ISO 27701 purposes is more than a list of systems that hold personal data. It is a documented inventory of processing activities — the what, why, how, who, where, and how long of every instance in which your organisation handles personally identifiable information.
For each processing activity, you need to document:
- What data is processed — categories of personal data (name, email, financial information, health data, etc.) and sensitivity classification
- Why it is processed — the purpose of the processing activity (HR administration, contract performance, marketing, fraud prevention, etc.)
- Legal basis — which GDPR Article 6 (and Article 9 for special categories) basis applies
- Data subjects — whose data it is (employees, customers, prospects, suppliers, website visitors, etc.)
- Systems involved — which IT systems, applications, and databases hold or process the data
- Data flows — how data moves between systems internally, and between your organisation and third parties
- Third-party processors — which external parties process the data on your behalf, under what contractual arrangements
- International transfers — whether data is transferred outside the UK/EEA, and what transfer mechanism applies
- Retention period — how long the data is kept and the basis for that retention period
- Your role — controller, processor, or both, for this processing activity
This is, in structure, the Article 30 record of processing activities that GDPR requires every controller and processor to maintain. The ISO 27701 PIMS requirement and the GDPR compliance requirement are the same document. Building it once serves both purposes.
The Discovery Process: How to Find What You Don’t Know You Have
The challenge with data flow mapping is that personal data does not announce itself. It accumulates in systems, spreadsheets, email inboxes, shared drives, and third-party platforms that were set up years ago by people who are no longer with the organisation. A complete map requires active discovery, not just interrogating the systems you already know about.
Start with process owners, not systems. Interview the people responsible for each business function — HR, finance, marketing, sales, customer service, IT, procurement, product. Ask them what personal data they handle, what they use it for, where it goes, and how long they keep it. Process owners know the reality of their data environment. The IT asset register does not.
Follow the data flows outward. For each processing activity identified, trace the data outward: where does it go next? What other systems receive it? What third parties does it reach? A marketing campaign might start with a customer email address and end with data flowing to a CRM, an email platform, an analytics tool, and a third-party data enrichment service — each of which needs to appear in your map.
Check the shadow IT.** Most organisations have personal data living in places that IT does not formally manage: local spreadsheets with customer contact details, email threads containing employee salary information, WhatsApp groups used for customer communication. These are not edge cases — they are common, and they represent real privacy risk. Your discovery process needs to surface them.
Don’t forget historical data. Legacy systems and archived data carry the same regulatory obligations as live data. If your organisation migrated to a new CRM three years ago and the old system is still running with historical customer data, that data is in scope — both for your PIMS and for GDPR.
Structuring the Map for Ongoing Use
A data flow map that exists as a completed document — reviewed once and filed — is not a PIMS control. It is a historical record. To function as part of a management system, the map needs to be a living document that is reviewed and updated whenever processing activities change.
This means building a change process. When a new system is procured that will hold personal data, the data flow map is updated before go-live. When a new third-party processor is engaged, the map is updated and a Data Processing Agreement is put in place. When a processing activity ceases, the map reflects the data deletion or archiving that follows.
The practical implication: the team responsible for the PIMS needs to be part of the procurement and change management process — not brought in after a new system or supplier has already gone live. Privacy by design means the data flow map is updated before a change happens, not after it has been discovered by an auditor.
How Auditors Use Your Data Flow Map
A certification auditor will use your data flow map as a starting point for testing the rest of your PIMS. They will take a processing activity from your map — say, customer marketing emails — and trace it through your PIMS: Is the legal basis documented? Is the consent record maintained? Is the data processor (email platform) covered by a DPA? Is the retention period specified and enforced? Is the data subject’s right to opt out being respected?
If your data flow map is accurate and complete, this exercise confirms that your PIMS is working as designed. If your map has gaps — processing activities that are not documented, third parties that are not captured — the auditor’s sampling will surface them, and each gap is a potential non-conformity.
An accurate data flow map is not just a compliance document. It is the evidence that your PIMS is grounded in your actual operations, not in a theoretical description of how data should be handled.
At Bitsecura, our ISO 27701 implementations always begin with a structured data flow mapping exercise — interviewing process owners, tracing data flows across systems and third parties, and producing an Article 30-compliant register that becomes the foundation of your PIMS. We then build your controls, policies, and risk assessments on that foundation.
If your current data flow map needs a critical review — or if you have not built one yet — get in touch here. No obligation, just a straight conversation about where to start.
Bitsecura provides ISO 27701 PIMS implementation, internal audit, and privacy gap assessment services. Learn more about our ISO 27701 services.