1. What to capture
- What personal data you hold and where it lives.
- Why you process it (purpose and lawful basis).
- Who it flows to (vendors, transfers).
- How long you keep it.
2. Start where the risk is
Begin with your highest-volume, most-sensitive systems — that’s where exposure and penalties concentrate.
3. Keep it alive
A data map is an operating capability, not a one-time document — update it as systems and vendors change.
How CyberSigma helps
We build your personal-data inventory and RoPA — the foundation for consent, rights, security and breach response.
This guide is educational and not legal advice. Requirements evolve — validate specifics against the current standard or regulation for your situation.
