Module 2 · Data Mapping Workshop 🔒

Every DPDP compliance failure begins with the same sentence: “We didn’t know we had that data.” Data mapping is the discipline of finding out — comprehensively, systematically, and in a format you can defend to a Data Protection Board inquiry.

If you read only one module from this path before your organisation’s DPDP compliance programme begins, make it this one. Every other control — consent flows, rights responses, breach notifications, DPIAs — depends on knowing what personal data you have, where it lives, how it moves, and who touches it. Skip data mapping, and you’re guessing. Guesses don’t survive an audit.

This module is a 90-minute workshop. By the end you will have a data-map template you can adapt to your own organisation and the working methodology to run your first mapping exercise in 5–10 working days.

What a data map actually is

A data map is a structured inventory that answers seven questions for every element of personal data your organisation processes:

1. What — the specific data element (e.g. email address, PAN number, bank account)
2. Where from — the source (direct user input, Google OAuth, KYC vendor, bureau pull)
3. Why — the business purpose (account creation, marketing, billing, fraud detection)
4. Who — the internal teams and external parties who can access it
5. Where it lives — primary storage + all copies (production DB, analytics warehouse, backups, logs, CRM)
6. How long — retention period, triggered by what event
7. Legal basis — which of the six DPDP grounds for processing applies

That’s it. Seven columns. The complexity comes not from the columns but from discovering every row — because every Indian organisation has more personal data flowing through more systems than the founders or the compliance team realise.

Why teams skip data mapping (and why that’s fatal)

Data mapping is unglamorous. It produces no code, no deliverable a customer sees, no dashboard a CEO shows investors. The temptation is to jump straight to the visible fixes — a new Privacy Policy, a consent banner, an “export my data” button — and skip the tedious inventory.

This is the single most expensive mistake an organisation can make. Here’s what a missed data-map row looks like:

• Your app uses Firebase Analytics. Firebase collects advertising identifiers (IDFA / AAID) which are personal data under DPDP. You don’t mention Firebase in your Privacy Policy. A Data Principal complains. Your Notice is now incomplete. ₹50 crore exposure.
• Your marketing team uploads a CSV of customer emails to Facebook’s Custom Audiences. That’s a cross-border transfer of personal data. Your data-processing agreements don’t mention Facebook. Section 16 cross-border compliance gap.
• A support agent exports a list of last 500 tickets (with customer emails and phone numbers) to Excel for offline analysis. The Excel sits on a personal laptop. The laptop is stolen. Section 8(5) security breach + Section 8(6) notification obligation.

Each of these happened because the data map didn’t include the flow. You cannot secure, govern, or notify about what you haven’t inventoried.

The four-pass methodology

Don’t try to build a complete data map in one meeting. It won’t work. The human brain cannot hold enough simultaneously. Instead, run four successive passes — each pass catches what the previous one missed.