A data map is the single most useful document for a customer security questionnaire, an ICO conversation, or your own peace of mind. UK GDPR Article 30 requires most businesses to keep a record of processing activities. Update annually.
How to use this: The bracketed items like [Company Name] are placeholders — replace them with your own details. Edit the wording to suit your business. This is a starter, not legal advice.
Customer data
| What | Names, emails, phones, addresses, orders, payments |
| Where | M365 SharePoint; Xero; HubSpot; [note any laptop / off-system locations] |
| Who reads | [Sales (5), Finance (2), Directors (3)] |
| Legal basis | Contract / Legitimate interest |
| Retention | 6 years (HMRC) or earlier on request |
Employee data
| What | Names, addresses, NI numbers, bank details, payroll |
| Where | HR system; payroll provider; M365 |
| Retention | 6 years after leaver date |
Financial data
| What | Invoices, ledgers, payments, reconciliation |
| Where | Xero; bank portals; M365 |
| Retention | 6 years (HMRC) |
Supplier data
| What | Contracts, contacts, IBAN / sort codes |
| Retention | 7 years after contract end |
Tips for adoption
- Do it on paper first.
- Walk it past your accountant and HR lead.
- Update annually.