Data mapping

Copyright © 2025 LexisNexis

Data mapping (finding out what personal data your organisation processes) is often cited as one of the first tasks to tackle in a data protection compliance plan.

Assimilated Regulation (EU) 2016/679, the UK General Data Protection Regulation (UK GDPR) requires data controllers and processors to have a written record of data processing activities and the records must be made available to the supervisory authority on request.

Data mapping can be an enormous and time-consuming task. Despite the challenges, understanding and documenting the purposes of processing, the processing that takes place and the data involved provides a great basis for UK GDPR compliance. ...

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

Existing user? Sign-in TAKE A FREE TRIAL
Powered by Lexis+®
Latest Risk & Compliance News

How Meta’s settlement of UK lawsuit can shape future pay-or-consent decisions

MLex: Meta’s settlement of a landmark UK lawsuit challenging its use of personal data for targeted ads on 21 March 2025 is already making waves: an advocacy group has asked US social-media company to stop showing targeted ads to users through automatic emails. The case is set to shape pay-or-consent talks as the European Commission is poised to adopt a decision in early April 2025 on whether this model—which Meta says it wants to develop, is compatible with EU rules.

OFSI extends bond restructuring licence and amends legal services provisions

The Office of Financial Sanctions Implementation (OFSI) announced two licence updates. General Licence INT/2023/2824812 covering bond amendments and restructurings for non-designated persons has been extended until 27 March 2026. OFSI also amended General Licence INT/2024/5334756 to clarify that legal services include dispute resolution activities and that ownership/control criteria apply only to companies under the designated person definition.

OFSI issues General Licence INT/2025/5787748

The Office of Financial Sanctions Implementation (OFSI) has issued General Licence INT/2025/5787748 under Regulation 64 of the Russia (Sanctions) (EU Exit) Regulations 2019, SI 2019/855 and Regulation 32 of the Republic of Belarus (Sanctions) (EU Exit) Regulations 2019, SI 2019/600. This General Licence allows payments to be made to Arbitration Associations and Arbitrators to cover fees and expenses for their arbitration services. It also permits payments to be made to a designated person’s representative or legal representative to cover Arbitration Costs. General Licence INT/2022/1552576 relating to the London Court of International Arbitration (LCIA) Arbitration Costs was revoked following the issuance of the new Arbitration Costs General Licence.

ICO releases new guidance on anonymisation and pseudonymisation techniques

The Information Commissioner's Office (ICO) has published comprehensive guidance on anonymisation and pseudonymisation techniques on 28 March 2025, accompanied by a webinar scheduled for 22 May 2025. The guidance explains anonymisation and pseudonymisation concepts, outlines data protection obligations, and provides practical advice on implementing appropriate technical measures. It specifically addresses organisations using or considering anonymising personal data, including artificial intelligence developers, and details risk mitigation strategies for protecting individual privacy.

View Risk & Compliance by content type :
News
Practice notes
Precedents
Q&As

Popular documents

Training materials—GDPR and data protection compliance—for staff

Training materials—GDPR and data protection compliance—for staffThis Precedent presentation has been designed as an aid to train your staff on the general principles of data protection and how to manage this in the workplace. This Precedent is of general application, but incorporates the

How do I calculate the time limit for responding to a data subject request?

How do I calculate the time limit for responding to a data subject request?The General Data Protection Regulation, Regulation (EU) 2016/679 (GDPR) provides for enhanced rights for data subjects, including providing rights of access, rectification, erasure and restriction of processing, data

Data subject access request form

Data subject access request formPlease complete this form if you wish to request access to your personal data. You do not have to use this form, but it will help us to deal with your request as quickly and effectively as possible if you do.You can also use this form if you are requesting access to

Refusing a data subject request—what is ‘manifestly unfounded or excessive’?

Refusing a data subject request—what is ‘manifestly unfounded or excessive’?The General Data Protection Regulation (GDPR) provides for enhanced rights for data subjects, including providing rights of access, rectification, erasure and restriction of processing, data portability, a right to object to
Training materials—GDPR and data protection compliance—for staff

Training materials—GDPR and data protection compliance—for staff

Training materials—GDPR and data protection compliance—for staffThis Precedent presentation has been designed as an aid to train your staff on the general principles of data protection and how to manage this in the workplace. This Precedent is of general application, but incorporates the