A visual representation of how personal data moves through systems, processes, and third parties within an organisation.
Data flow mapping documents the complete journey of personal data through an organisation: from collection points, through internal systems, to processors and external parties, and ultimately to deletion or anonymisation. It identifies data sources, storage locations, processing systems, sharing relationships, encryption status at each stage, and cross-border transfers. This map forms the foundation of the Record of Processing Activities and enables gap identification.
You cannot protect what you cannot see. Without data flow maps, you cannot identify: where consent gaps exist, which processors lack DPAs, where encryption is missing, or which transfers might become restricted. It is the foundational exercise for all DPDPA compliance.
A Bengaluru B2B SaaS maps its flows: Customer signup form → PostgreSQL (India) → Salesforce CRM (US) → Mailchimp (US) → Analytics aggregate (GCP Singapore). The map reveals the Mailchimp integration lacks a DPA and transfers sensitive data to a US server without contractual mechanisms.
Data flow maps are not just IT diagrams. They must include the legal context: lawful basis at each stage, consent coverage, encryption status, retention periods, and processor DPA status for each flow.
DPDPA Shield automates Data Inventory & RoPA. See how →