Data Mapping for GDPR, CCPA and Privacy Regulations

Cyber security and privacy experts from Kroll lead CCPA and GDPR data mapping exercises to identify and catalog crucial data categories, elements and processing activities, helping meet different regulatory requirements.

Contact Cyber Experts
/en/services/cyber-risk/assessments-testing/data-mapping-gdpr-ccpa /-/media/feature/services/cyber-risk/data-mapping-desktop-banner.jpg service

The California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR) mandate for detailed data inventories are now reflected in many other privacy regulations worldwide and continue to pose a significant challenge for organizations of all sizes. Whether you’re looking for specific assistance with Article 30 compliance or need a robust solution to meet multi-jurisdictional requirements, Kroll experts deliver accurate and efficient data inventory solutions. 

Leveraging frontline expertise from thousands of cyber security investigations and hundreds of detailed cyber risk assessments every year, our security and privacy experts know the questions to ask and the stones to uncover to help your organization understand, describe and identify how protected data flows within your systems, to and from vendors and internationally. Our extensive data mapping solution provides deeper understanding of data ingestion, storage and security and helps better document the business reasons for its retention and use.

How We Approach Data Inventory Projects

Watch as Jonathan Fairtlough, a managing director in our Los Angeles office, gives a brief overview of our approach to data mapping.

Learn more about the fundamental steps to building a data inventory.

Key Data Mapping Answers We Collect

Most data mapping regulations specify the documentation and management around fundamental questions covering the entire data lifecycle , such as:

  • What data is collected where it is stored, for how long and who has access to it?
  • Is transferred outside of the organization or outside of the country (and where)?
  • What security controls exists around data collection, sharing and storage?
  • How is the data processed and what is the legal basis or business reason for processing that data?
  • Is the data considered sensitive?
  • How is the data transfer protected?

Our experts initially focus on understanding as much about your environment to prioritize the most sensitive systems before examining additional areas. We follow a five-step process that is customized to fit the regulatory requirements of your organization.

Identifying Protected Information 

Kroll will assist your organization in determining how to best categorize the protected information (as defined by your legal team) held by your organization. With the plethora of information that an organization may hold, it is important to understand the types of protected information you have, whether it’s considered sensitive, the business reasons for processing it and where it is stored and for how long. Kroll will work with your legal team to determine the appropriate categories of data that may include, but are not limited to: 

  • The nature and types of the protected information
  • Location (e.g. databases, applications)
  • Categories of sources
  • Internal access rights
  • Forms of collection
  • Data flows, including transfers to affiliates, service providers and internationally 
  • Questionnaires and Document Reviews

Effective data maps require input from almost all departments but especially IT, information security, legal, compliance, marketing and human resources. Kroll will deploy questionnaires to key stakeholders to elicit information on critical information assets, systems and security processes.

Additionally, Kroll will request documentation regarding policies and procedures governing the security and use of the information under the various data privacy regulations. Our practitioners will examine receipts, storage, handling and management of the protected data.


Deploy Data Mapping Software

Based on the questionnaire responses and the document review, Kroll’s experts work with your organization’s IT personnel to configure and deploy the data mapping software that will identify and document structured protected information.


Onsite Visits 

Kroll experts perform interviews with stakeholders to verify conclusions drawn from the questionnaire and the data mapping software findings. They will fill in gaps and perform a visual walk through of the protected information’s data lifecycle on your organization’s systems. 


Deliver Completed Data Mapping and Template 

Kroll experts will leverage questionnaires, existing documentation, data mapping software results and onsite information to build a full data map and inventory and establish a template upon which your privacy professionals can make ongoing adjustments. 


Beyond Compliance, Data Mapping is a Good Business Practice

While the initial mandate for a data mapping exercise may come from GDPR or other privacy regulations, such efforts often uncover practices organizations had forgotten about or didn’t even know existed. Our experts have helped a client identify terabytes of sensitive data, posing a tremendous legal, financial and reputational risk in the event of a data breach, simply because a retention policy had not been fully configured. 

Data mapping provides great clarity that will ensure your risk management team can make informed decisions. Kroll experts will help manage your data inventory to optimize data security, better understand your data flows and achieve regulatory compliance. Take the extra steps today in mapping your data to protect your organization tomorrow. Talk to a Kroll expert. 

Increased Cyber Resilience with a Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.

Connect with us

Yvette Gabrielian
Yvette Gabrielian
Data Insights and Forensics
Los Angeles
William Rimington
William Rimington
Managing Director and Co-Leader EMEA Cyber Risk
Cyber Risk

See all servicesStay Ahead with Kroll


Valuation of businesses, assets and alternative investments for financial reporting, tax and other purposes.

Compliance and Regulation

End-to-end governance, advisory and monitorship solutions to detect, mitigate and remediate security, legal, compliance and regulatory risk.

Corporate Finance and Restructuring

Comprehensive investment banking, corporate finance, restructuring and insolvency services to investors, asset managers, companies and lenders.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Environmental, Social and Governance

Advisory and technology solutions, including policies and procedures, screening and due diligence, disclosures and reporting and investigations, value creation, and monitoring.

Investigations and Disputes

World-wide expert services and tech-enabled advisory through all stages of diligence, forensic investigation, litigation and testimony.

Business Services

Expert provider of complex administrative solutions for capital events globally. Our services include claims and noticing administration, debt restructuring and liability management services, agency and trustee services and more.


Q4 2021 Threat Landscape: Software Exploits Abound

Feb 16, 2022

by Keith WojcieszekLaurie Iacono George Glass


ALM Intelligence Pacesetter Research – Cybersecurity Services 2020

Oct 28, 2020

by Jason N. SmolanoffAndrew BeckettMarc Brawner


Kroll Ransomware Attack Trends – 2020 YTD

Oct 06, 2020

by Devon AckermanKeith Wojcieszek Laurie Iacono


CVE-2020-1472 (Zerologon) Exploit Detection Cheat Sheet

Oct 22, 2020

by William Rimington Carlos Garcia, Simone Marinari, Roman Guillermo

Press Release

Gartner Names Kroll a Representative Vendor for Managed Security Incident and Event Management

Jan 09, 2023

Press Release

Kroll Expands Partnership with CrowdStrike for Advanced Cybersecurity Offerings

Nov 10, 2022

Press Release

Kroll Adds Complimentary $1 Million Incident Protection Warranty to Managed Detection and Response (MDR) Service

Oct 26, 2022


Chief Financial Officers Ignoring Cyber Risk Worth Millions of Dollars According to Kroll Report

Sep 13, 2022


A Kroll Data Breach Masterclass: 6 Key Mistakes Organizations Must Avoid

In-Person Feb 02, 2023 | in-person


Q4 2022 Threat Landscape Virtual Briefing: Tech. and Manufacturing Targeted As Ransomware Peaks for 2022

Online Event Feb 15 - Feb 16, 2023 | Online Event