Your Ethyca Data Map Guide

How to build your compliant Data Map in Ethyca

What is Data Mapping?

Data mapping is the process of keeping an inventory on the personal data in your business systems. An up-to-date data map is vital for compliance with modern data privacy regulations.

You might hear a data map called a data flow map, a data inventory, an Article 30 Recording of Processing Activity (RoPA) (under GDPR), or a personally identifiable information disclosure (under CCPA). However, the concept is the same: a thorough record of the data processing that your company conducts.

Data mapping requires answers to basic questions including:

  • What personal data does my company collect?
  • When does my company erase this data?
  • Why does my company collect and process this data?
  • How does my company process this data?
  • Besides my company, who else receives this data?

Getting Started with Data Mapping

First, you'll want to define the purposes of use or processing activity for each integration with your Data Use Cases. Each data use case provides the purpose or use case for why you are collecting personal information. Are you collecting personal data for Customer Service? Email Marketing? Processing Payments? Conducting Product Research? Once each use case has been added into Ethyca, you'll be on your way to building a comprehensive map of your business systems.

Next, Ethyca uses Data Integrations as the primary way to inventory data across your known systems. An Integration acts like a bridge to connect with 3rd party systems. Once you complete the Integration's Data Mapping tab with detail on how and why your company uses each system, you can can link them back to the relevant data use cases (or purposes of use).

Ethyca then uses Atlas Connections as the way to connect your internal datastores back to your data map. Once you deploy Ethyca's Atlas, your Atlas Connection will generate in your Control Panel and you can add in the required fields for generating your data map.

Finally, add your internal privacy contact and Company Security Policy into your Organization Admin Settings to ensure up to date reporting.

Exporting your Data Map
Once you have added all the relevant information into Ethyca, you'll start to see a comprehensive table of data relationships across your company. This output, downloaded as a CSV, answers all of the criteria for GDPR compliance, including:

  • Data Processing Activities: What application processes this data?
  • Data Classes: What categories of personal data are being processed?
  • Associated Software and Data Stores
  • Retention Period: How long is this data stored?
  • Transfer to Third Countries: What other countries access this data?
  • Categories of Data Subjects: Who provides this data
  • Categories of Recipients: Who will receive this data?
  • Company Security Policy: What organizational security measures does your business have in place?
2408 2280

This is available at the bottom of the "Datamaps" section - just click Download Report!

GDPR’s Article 30 RoPA vs. Ethyca’s Data Map Guide

GDPR LegislationTerm in EthycaInput Location in Ethyca
The name and contact details of the controllerPrivacy Contact Admin Settings - OrganizationAdmin Settings - Organization
A description of the categories of personal dataData Categories and ClassesData Use Cases
The purposes of the processing - – why you use personal data, e.g. customer service, marketing, recruitingData Processing ActivityData Use Cases
Retention schedule (if applicable)Retention PeriodIntegrations - Data Mapping, Atlas Connections
Names of countries or international organizations that personal data is stored or accessible fromTransfer to Third CountriesIntegrations - Data Mapping, Atlas Connections
A category of subjects - e.g. the different types of subjects whose personal data is processed, e.g. employees, customersCategories of Data SubjectsIntegrations - Data Mapping, Atlas Connections
The categories of recipients of personal data – anyone you share personal data with, e.g. suppliers, credit reference agencies, etc.Categories of RecipientsIntegrations - Data Mapping, Atlas Connections
A general description of the technical and organizational security measures e.g. encryption, access controls, training.Company Security PolicyAdmin Settings - Organization


If you have any questions about your account, please reach out to [email protected] for support.