Last updated: April 29, 2026
Every DPDP compliance failure begins with the same sentence: “We didn’t know we had that data.” Data mapping is the discipline of finding out — comprehensively, systematically, and in a format you can defend to a Data Protection Board inquiry.
If you read only one module from this path before your organisation’s DPDP compliance programme begins, make it this one. Every other control — consent flows, rights responses, breach notifications, DPIAs — depends on knowing what personal data you have, where it lives, how it moves, and who touches it. Skip data mapping, and you’re guessing. Guesses don’t survive an audit.
This module is a 90-minute workshop. By the end you will have a data-map template you can adapt to your own organisation and the working methodology to run your first mapping exercise in 5–10 working days.
What a data map actually is
A data map is a structured inventory that answers seven questions for every element of personal data your organisation processes:
- What — the specific data element (e.g. email address, PAN number, bank account)
- Where from — the source (direct user input, Google OAuth, KYC vendor, bureau pull)
- Why — the business purpose (account creation, marketing, billing, fraud detection)
- Who — the internal teams and external parties who can access it
- Where it lives — primary storage + all copies (production DB, analytics warehouse, backups, logs, CRM)
- How long — retention period, triggered by what event
- Legal basis — which of the six DPDP grounds for processing applies
That’s it. Seven columns. The complexity comes not from the columns but from discovering every row — because every Indian organisation has more personal data flowing through more systems than the founders or the compliance team realise.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.