LGPD - How important is the Data Map?

By August 28, 2020 No Comments

* Yuri Carneiro

At General Data Protection Act (LGPD), the Personal Data Map or Inventory is a document that contains a list that details which organizational processes carry out personal data processing activities, demonstrating the entire life cycle of this data. This material is extremely important, as it allows the organization to clearly see in which internal / external processes personal data processing activities are carried out and what data is processed, in addition to being required by Art. 37 of the LGPD, which determines that the The controller and the operator must keep a record of the personal data processing operations they perform.

The data mapping process personal

 The data mapping process can be carried out in some ways, for example, through a T analysisop Down - interviews with each of the organization's business areas or filling in questionnaires by those responsible - or by analysis Bottom Up - by means of Data Discovery that scan the company's equipment to indicate what personal data exists. The two analyzes complement each other and can have their results consolidated to compose the Data Map taking into account the entire information life cycle, that is:

  • Collect: personal data must comply with the principle of necessity and purpose;
  • Processing: can only be carried out in the cases provided for in Article 7 of the LGPD;
  • Sharing: holders must authorize sharing and have the right to know with whom the data is shared;
  • Storage: personal data must have a data retention calendar;
  • Reuse: at each change of purpose, the Holder must make a new consent to the Controller;
  • Discard: data must be discarded after the end of its treatment and purpose;

The law also requires the processing of personal data must obey ten principles, according to Article 6 - Purpose, Adequacy, Necessity, Free Access, Data Quality, Transparency, Security, Prevention, Non-Discrimination and Accountability and Accountability - and each Treatment activity must be associated with a legal basis that justifies and demonstrates the organization's need to carry out such activity. According to Article 7, treatment can only be carried out in the following cases:

  • Consent by the holder;
  • Compliance with legal or regulatory obligation;
  • By the public administration, for the treatment and shared use of data necessary for the execution of public policies provided for in laws and regulations or supported by contracts, agreements or similar instruments;
  • For carrying out studies by research body;
  • Contract execution;
  • Regular exercise of rights in judicial, administrative or arbitral proceedings;
  • Protection of the life or physical safety of the holder or third parties;
  • For the protection of health;
  • Legitimate interests of the controller or third parties;
  • Credit protection

In an analysis Top Down, after finalizing the interviews or filling out the questionnaires with those responsible for the areas that carry out personal data processing activities, we will have a file containing at least:

  • A description of the treatment process and activities;
  • Personal data processed during the execution of the process;
  • Legal basis associated with the treatment;
  • Origin of Personal Data;
  • Whether or not there is Sensitive Data associated with the treatment;
  • Whether or not there is periodic review of the data;
  • Whether or not there is a data retention schedule;
  • Information disposal policy;
  • Information systems involved in processing;
  • Who has access to the data;
  • Who it is shared with and how it is shared;

This data mapping will serve as a basis for preparing the report on the impact of personal data protection, which can be requested by the National Data Protection Agency (ANPD) at any time, as per Article 38. This report is a documentation of the controller that contains a description of the processes for processing personal data that may generate risks, as well as measures, safeguards and risk mitigation mechanisms.


The Personal Data Map or Inventory is an important tool in the implementation of LGPD in your organization, as it is from it that we understand where the risks associated with the treatment of personal data are in each of the company's processes. In addition, it is a requirement required by law and, therefore, of paramount importance to ensure the legal compliance of your company.

* Yuri Carneiro is GRC and Information Security Specialist at [SAFEWAY]


 THE SAFEWAY is an Information Security company, recognized by its customers for offering high added value solutions, through Information Security projects that fully meet business needs. In these years of experience, we have accumulated, with great pride, several successful projects that have earned us credibility and prominence in our clients, which constitute in large part, the 100 largest companies in Brazil.

Today through more than 22 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best technology solutions, processes and people.

Let's make the world a safer place to live and do business!