A data map is the single most useful document for a customer security questionnaire, an ICO conversation, or your own peace of mind. UK GDPR Article 30 requires most businesses to keep a record of processing activities — this is yours. Update annually.
How to use this: The bracketed items like [Company Name] are placeholders — replace them with your own details. Edit the wording to suit your business. This is a starter, not legal advice.
Customer data
| What | Names, emails, phones, addresses, orders, payments, support history |
| Where | Microsoft 365 SharePoint; Xero; HubSpot; [note any laptop / off-system locations to fix] |
| Who reads | [Sales (5), Finance (2), Directors (3)] |
| Who deletes | Finance lead, IT admin |
| Legal basis | Contract / Legitimate interest |
| Retention | 6 years (HMRC) or earlier on customer request |
| Risks | [Spreadsheet on laptop — move to SharePoint by [date]] |
Employee data
| What | Names, addresses, NI numbers, bank details, payroll, sickness, contracts |
| Where | [HR system, payroll provider, M365 Documents (admin only), filing cabinet] |
| Who reads | HR (2), Directors (3), Payroll provider |
| Legal basis | Contract / Legal obligation |
| Retention | 6 years after leaver date |
| Risks | [Filing cabinet — what can be digitised?] |
Financial data
| What | Invoices, ledgers, supplier payments, bank reconciliation |
| Where | Xero; bank portals; M365 SharePoint finance folder |
| Who reads | Finance (2), Directors (3), Accountant (external) |
| Legal basis | Legal obligation (HMRC) |
| Retention | 6 years (HMRC), longer for grants / loans |
| Risks | External accountant access — is MFA on their end? |
Supplier data
| What | Contracts, contact details, account numbers, IBAN / sort codes |
| Where | M365 SharePoint contracts folder; email; HubSpot |
| Retention | 7 years after contract end |
| Risks | IBANs in email — vector for payment-redirection fraud |
Cross-cutting
- Where is the data backed up? [answer]
- Who has admin access to each? [answer]
- What's the breach plan? See the Incident Response Plan.
Tips for adoption
- Do it on paper first. The shape matters more than the polish.
- Walk it past your accountant and HR lead for missing items.
- Update annually.