Mapping Personal Data in SMEs: how to create your record of processing activities without overcomplicating things

Why Mapping Personal Data in SMEs is Important?

Many SMEs believe that complying with the GDPR starts with lengthy policies, consent forms or legal notices on their website. In practice, it almost always starts elsewhere: clearly understanding what personal data exists within the organisation, where it is located, why it is processed, who accesses it, how long it is retained and with whom it is shared.

Without this map, the GDPR becomes a confusing exercise. With this map, it becomes a much more rational task.

This is precisely where personal data mapping and the record of processing activities come in. These two elements serve as the operational foundation of compliance: they help make decisions, reduce risk, prepare responses to data subjects’ requests, review contracts with processors, correct excessive data collection and demonstrate accountability.

For an SME, this is particularly important. Unlike large organisations, small and medium-sized enterprises tend to have fewer resources, less in-house expertise and a greater overlap of roles. The same employee may manage clients, suppliers, the website, invoicing and recruitment. Without a structured overview of processing activities, it is very easy to end up with unnecessary data collection, data duplication, excessive retention, misallocated permissions or the use of cloud tools without proper control.

The good news is that you don’t need to overcomplicate things. A well-executed mapping exercise doesn’t have to be bureaucratic or academic. It needs to be useful.

Why data mapping comes before almost everything

Before reviewing consents, updating privacy notices or deciding whether you need an impact assessment, your organisation needs to answer some very simple questions:

• What personal data do we process?
• In which processes?
• For what purpose?
• On what legal basis?
• Who has access?
• Where is it stored?
• With whom is it shared?
• How long do we keep it?
• What risks does it pose?

If the company cannot answer these questions consistently, then it is working in the dark. And when you work in the dark, compliance becomes reactive: you only discover breaches when there is a complaint, a data leak, an audit, a request for access or an employee leaving.

Data mapping does the opposite.

It brings visibility.

And visibility enables control.

What, after all, is personal data mapping?

Mapping personal data means identifying and documenting the flows of personal information throughout the organisation. It is not just a matter of listing databases. It is about understanding the data lifecycle.

For example, in the recruitment process, an SME might collect CVs via email, download attachments to a local folder, share profiles with management, record notes in Excel and, if hiring the person, transfer some of the information to HR software. All of this constitutes a flow of personal data.

In another process, such as marketing, the company may collect contacts via its website, integrate them into an email marketing platform, segment campaigns, measure opens and clicks, and synchronise information with a sales CRM.

Each of these flows constitutes a processing operation or a linked set of processing operations. The aim of mapping is to make them visible, understandable and manageable.

What is the record of processing activities

The record of processing activities is the structured document where the organisation consolidates this information. It is, in practice, the living inventory of personal data processing operations.

It should not be viewed as a mere file to ‘show in the event of an audit’. It should be a governance tool. A good record helps answer business and compliance questions, such as:

• Is this collection necessary?
• Do we have an appropriate legal basis?
• Are we informing data subjects correctly?
• Are there any processors involved?
• Are there any international transfers?
• Does the retention period make sense?
• Do we need to review access rights?
• Does this processing require enhanced measures?
• Is there a high risk to data subjects?

When the register is clear, it becomes much easier to align legal, IT, HR, marketing, operations and management.

Common mistake in SMEs: trying to map by systems rather than processes

A frequent mistake is to start with the software: “We have Outlook, Excel, CRM, ERP, a website and Dropbox.” This helps, but it is insufficient.

The GDPR looks at processing activities, not just applications. Therefore, the most effective starting point is to map by business processes, for example:

• Recruitment and selection
• Employee contract management
• Payroll processing
• CCTV
• Customer management
• Invoicing and collections
• Customer support
• Marketing and newsletters
• Supplier management
• Physical access control
• Management of requests to exercise rights
• Cookies and analytics on the website

When you start with processes, the company gains a better understanding of the context, the purpose, the stakeholders and the data lifecycle. Only then should you link the systems used in each process.

How to carry out mapping in a practical way in an SME

The best approach for an SME is simple: short, realistic and iterative.

1. Identify the areas where personal data is processed

Almost all SMEs process data across five main areas:

Human Resources

CVs, contracts, attendance, salaries, appraisals, occupational health, emergency contacts.

Sales and customers

Lead contacts, proposals, contracts, CRM, communication history, invoicing, support.

Marketing

Website forms, newsletters, campaigns, cookies, landing pages, events, social media.

Operations and suppliers

Partner contacts, service providers, bank details, contracts, platform access.

IT and security

User accounts, logs, backups, permissions, devices, access control, video surveillance.

Starting with these blocks helps to create an initial map that is sufficiently comprehensive without wasting time on excessive detail.

2. Talk to those who know the actual process

It is not enough to analyse documents. You need to talk to those who carry out the work.

Often, the formal procedure says one thing and daily practice says another. The HR manager may say they delete CVs after a certain period, but in practice there may be an old shared folder containing dozens of files that have never been reviewed. Marketing may say they only send campaigns to contacts who have given consent, but there may be historical imports of lists from trade fairs or old forms.

Short interviews with the managers of each department are one of the most effective ways of discovering the operational reality.

3. Record the minimum useful information for each processing operation

For each processing activity, the SME should seek to document at least:

• Name of the processing operation
• Responsible department
• Purpose
• Categories of data subjects
• Categories of personal data
• Legal basis or applicable grounds
• Recipients or categories of recipients
• Processors involved
• International transfers, if any
• Retention period
• Technical and organisational measures
• Systems or locations where data is processed
• Risk observations and improvement actions

This does not need to be overly legalistic. It needs to be clear, consistent and sufficiently detailed to enable management.

4. Map the data flow

Always ask:

• Where does the data enter?
• Who receives it first?
• Where is it recorded?
• Who accesses it?
• Who modifies it?
• With whom is it shared?
• When is it archived?
• When is it deleted?

These questions help to uncover duplication, unnecessary access and weaknesses. Many companies realise at this stage that the same data exists in emails, Excel, CRM systems, local folders and third-party applications without any need.

5. Assess proportionality

Once the processing has been mapped, you must assess whether the collection is appropriate. This is where the GDPR moves beyond mere documentation and begins to improve processes.

Example: a contact form asks for name, email, telephone number, company, job title, full address, sector, number of employees and message. Is all of this necessary to respond to the request? Probably not.

Example: a recruitment process retains copies of identification documents right from the initial stage. Is this justified? Often, no.

Mapping also serves to eliminate excesses.

Practical example: data processing in recruitment

Imagine an SME with 25 employees that receives applications by email and via a form on its website.

A simple record of this processing could include:

Process name: Recruitment and selection

Purpose: To assess applications and fill vacancies

Data subjects: Applicants

Data processed: Name, contact details, CV, professional experience, education, portfolio, interview notes

Legal basis: Pre-contractual steps and legitimate interest in recruitment management, as applicable

Recipients: HR, management, recruitment team leaders

Subcontractors: Email platform, web hosting, any recruitment software

Retention period: Defined in accordance with internal policy and applicable legal basis

Systems: Email, secure folder, website form, HR software

Measures: Access control, sharing restrictions, retention policy, periodic deletion

Identified risks: CVs scattered across email inboxes; lack of a deletion routine; informal sharing with multiple decision-makers

This exercise alone delivers immediate value. The company realises where to take action: centralise receipt, restrict access, formalise retention and reduce ad hoc sharing.

Practical example: marketing and newsletters

Another very common scenario in SMEs is data processing for marketing communications.

Processing name: Management of newsletters and marketing campaigns

Purpose: Sending promotional and informational content

Data subjects: Leads, subscribers, business contacts

Data processed: Name, email, company, role, interaction history

Legal basis: Consent or other applicable basis depending on the context

Recipients: Marketing team, sales team, email platform provider

Processors: Email marketing tool, CRM, website hosting

Retention period: Defined by the organisation’s policy, with periodic review

Systems: Web forms, campaign platform, CRM

Measures: Recording the source of contacts, preference management, opt-out mechanisms, list review

Identified risks: Old contacts with no proof of origin; automatic synchronisation between tools; lack of review of inactive contacts

Here too, logging is not an end in itself. It exposes operational weaknesses that affect compliance, reputation and commercial effectiveness.

What SMEs discover when they carry out this exercise

In most projects, the initial mapping always reveals certain patterns:

Excess data

Forms and processes collect more than is necessary.

Undefined retention periods

The company “keeps everything” because it has never decided what to delete and when.

Excessive sharing

Personal data circulates via email and shared folders without control.

Poorly inventoried subcontractors

There are cloud tools processing data without proper contractual assessment.

Unclear legal basis

There are data processing operations based on “consent” when this may not be the most appropriate basis, or vice versa.

Scattered records

Information is spread across departments and no one has the full picture.

These findings do not signify failure. They signify growing maturity. An SME improves when it begins to see what was previously invisible.

The register must be dynamic, not static

Another common mistake is to create the register once and never touch it again.

But data processing evolves. The company changes its software, opens a new sales channel, creates a new landing page, starts using electronic signatures, hires a new payroll provider, installs cameras, enters a new market or changes its onboarding process.

Whenever the business changes, the data map changes too.

Therefore, the record must have an owner, a review routine and a link to real decisions. It does not need to be reviewed every day, but it does need to be reviewed whenever there are relevant changes and within minimally defined governance cycles.

Who should ‘own’ this work within an SME

In an SME, the most dangerous mistake is to assume that this is solely the responsibility of the legal department or IT alone.

In reality, personal data mapping requires coordination between:

• Management
• HR
• Sales and marketing
• Operations
• IT
• Privacy / compliance, where a dedicated role exists

Even when external support is available, knowledge of the process lies within the company. iPrivacy.eu can help to structure the process, facilitate interviews, design the register, identify gaps and prioritise improvements, but the quality of the outcome also depends on the involvement of internal stakeholders.

In broader contexts of governance, internal control and framework implementation, this approach can also be combined with complementary services from iCompliance.eu, particularly when the organisation aims to integrate privacy with information security, compliance and risk management in a more cross-functional manner.

How to turn mapping into concrete actions

A good inventory should generate a simple improvement plan. For example:

• Remove unnecessary fields from forms
• Formalise retention periods by process
• Review access permissions
• Centralise storage rather than keeping files scattered
• Update contracts with subcontractors
• Improve information provided to data subjects
• Review consent collection mechanisms
• Record international transfers and their safeguards, where applicable
• Prepare procedures for responding to requests for access, rectification or erasure

In other words, the mapping is not just a snapshot. It is the basis for a realistic compliance roadmap.

Signs that your SME urgently needs this exercise

There are some clear warning signs:

The company does not know exactly how many tools process personal data.

There is no up-to-date inventory of processing activities.

Online forms have grown over time without review.

CVs arrive via various channels and are stored indefinitely.

Teams share contact lists without checking their source.

There is no clarity on who can access what.

Data subjects’ requests are handled on a “case-by-case” basis, without a defined process.

The organisation relies on informal knowledge rather than reliable minimum documentation.

If you recognise two or three of these signs, personal data mapping should be among your immediate priorities.

The right balance: sufficient to demonstrate control, simple to maintain

Effective compliance in an SME is not achieved with massive documents. It is achieved with the right documentation, at the right level.

The record of processing activities should be:

• clear to those who use it;
• sufficiently comprehensive to demonstrate accountability;
• aligned with operational reality;
• easy to update;
• useful for business and risk decisions.

If it is too simplistic, it is of no help. If it is too complex, nobody will maintain it. The right balance is essential.

Conclusion

Mapping personal data in SMEs is not a secondary formality. It is the foundation of almost every privacy programme. Without it, the company operates on intuition. With it, it gains a basis for deciding, correcting, prioritising and demonstrating accountability.

Creating a record of processing activities does not mean turning the SME into a bureaucratic machine. It means giving it visibility over what it already does, identifying excesses, closing gaps and reducing risk intelligently.

In practice, organisations that do this work well are not only better prepared for the GDPR, but also improve internal organisation, operational control, information quality and trust among customers, employees and partners.

If your company does not yet have a clear overview of the personal data it processes, this is probably the most useful next step to take.

Next steps

At iPrivacy.eu, we help SMEs translate the GDPR into clear, proportionate and sustainable processes.

If you need support to map processing activities, create an activity log, review legal bases, retention periods, data processors and control measures, request a privacy assessment and quickly identify what needs to be addressed first.