In terms of the GDPR, it is important that schools understand their ‘data ecosystems’, as this will aid schools in ensuring they are compliant with the legislation.  Data ecosystems refer to the places that personal data is stored and used in a school. A school needs to be aware of what personal data it is processing, so that it can establish whether the data is being processed in compliance with the GDPR.

Creating a data flow map will highlight any gaps in compliance and areas of oversight, making it a critical first step to compliance under the GDPR. This guidance document includes a step-by-step process for how to start and create a data map, the key considerations and some top tips.


How to start

Step one: Collate the school’s data

The first thing that should be done is an audit on the data that the school holds. Schools need to consider the data that they hold, the formats that it is kept in, the method it will be transferred in, who is accountable for the it, who has access to the it and the location of the it. Schools should collate this information as it is vital that a school has a firm understanding of the data that it holds, in case there is ever a breach.

Step two: Categorise your data

Next, schools should consider the types of personal data that it records or uses – these should be put into categories such as, but not limited to, the following:

  • Safeguarding
  • HR
  • SEND

The DfE have provided a list of examples on page 11 of the Data protection: a toolkit for schools.

Step three: The data’s lifecycle

An essential step to begin creating a data map is to have a session, involving a wide range of members of staff from all departments, in which the following are considered:

  • The data sent to the school
  • The data that the school creates
  • The data that is passed from the school

Think about each item of data that was listed when completing step one and ask ‘how was this received?’ and ‘will it be sent on?’.

Step four: Capture the information

The information from steps one to three should then be collated and captured. Do this by creating a table similar to the one below.

For example, focussing on the safeguarding category, enter the items of data, e.g. pupils’ names, into the ‘Item of data column’. For each item, ask where the data came from, and if it was created by the school? Finally, ask if the data will be sent, and where to– are there circumstantial factors that will affect whether the data is sent, as there are with CCTV?


Item of data

How was it received?

Was it created?

Will it be sent?


Pupil data, e.g. name, gender and address

  • Parent registration form
  • Previous school
  • N/A
  • Pupil record sent to another school

CCTV footage

  • N/A
  • Created using CCTV systems
  • N/A unless requested by police


Staff data, e.g. name, age and qualifications

  • Previous employers
  • Recruitment agencies
  • Employees 
  • Personnel file
  • To next employer

Salary information

  • N/A
  • Personnel file
  • N/A


SEN assessment

  • Parent registration form
  • SENCO’s report
  • Next school

EHC plan

  • Previous school
  • Developed by SENCO
  • Next school

This table can be taken further still by including a ‘Destroyed’ column, where the school can outline when the pieces of data will be removed from their systems, if appropriate. For example, in terms of CCTV, the footage would be deleted in line with the school’s CCTV Policy.

Step four helps when it comes to mapping out where data is flowing into and out of, as well as collating all the types of data that is held within the school. This process will help to identify the interaction points between data and relevant parties, which should highlight any unforeseen or unintended uses of data.

Top tip: involve a broad range of staff in this process as different people will be familiar with different categories of data, meaning that gaps are more likely to be identified.

The mind-map below is a simple demonstraion of how a data map aims to work, a more detailed example can be found here. The diagram gives some examples of where data can come from and go and asks some key questions in terms of holding data. Mind-mapping provides a more visual demonstration of mapping out a school’s data and should aid schools in establishing their data ecosystem. Below is an examples:


To use this mind-map effectively, schools should consider where the data came from, how it is held, how it is used and who uses it, and, if this data item is sent from the school, to who is it sent and how will they use it. Watch GDPRiS’s YouTube video for another demonstration.

Making the map

Once a school has their categories of data established and understands how data flows into and out of the school, some key considerations need to be taken into account:

  • Identify where the data is being collected from and the circumstances under which it is being collected.  
  • Consider any technical or organisational safeguards that are in place to protect the rights and freedoms of data subjects.
  • Clarify how the data has been collected.
  • Establish the location of the data and how it is stored.

A thorough understanding of the data associated with the school is required in order to create an effective data map. When this is established, convert the table in step four into a visual map of the data systems and how the data flows into and out of the school.

Mind-maps or flowcharts are visual and easy-to-follow examples of how to set out the data map. The main aim of a data map is to allow a school to track data, showing its full lifecycle, so that nothing is overlooked or incorrect.

Building a picture for the data landscape

Using the information gathered at step four, take the categories of data and try to establish what their ‘journey’ is – where did the data come from? Where is it stored within the school? Does the school send it onto anywhere else?

Each category, e.g. safeguarding or HR, should have its own map. The map will show where the data came from, what system(s) within the school the data is held within and where the data may be sent to from the school. An example map can be seen here.

Top tips

Remember the focus is on personal data – data that can identify an individual. Whilst this process can be done for other data assets, the GDPR prioritises personal data.

A school needs to be aware of whether they have ‘middleware’/ ‘data integrators’ that extract data from a school’s management information system (MIS) to be used in other systems – if they do, it is vital that the schools are aware of what information is being extracted from the MIS and how it is being used and/or shared with other systems.

Schools need to assess how their liability may be affected by the actions of any third-party suppliers., To mitigate risks, it is important to exercise due diligence and ensure that they have an up-to-date data processing agreement in place with these suppliers.

Be sure to review the school’s ICT security policies, as they may need to be reviewed in light of what the data map highlights – outdated processes or aspects that have been overlooked when the policies were established.

The data map created will be an ‘as is’ document and will help schools to understand the range of personal data held in the school, how it is used and who it is shared with. This does not mean that the school compliant with the GDPR. The steps taken after the data map will build on knowledge to pinpoint areas of weaknesses or potential issues, which, once rectified, should lead to a school acting in accordance with the GDPR.


Example map

Below is a filled in example of how a data map could look. This is a basic data map of personal data. The data source should have arrows connecting all the areas in which that source is being stored within the school ecosystem, for example, parent registration data may be kept in your MIS as well as paper copies. Do the same for sent data. By the time this has been done, the map may look complicated; try using a whiteboard and sticky notes to make this exercise quicker and easier. Once the connections have been drawn in rough, the final map can be drawn.


What’s next?

The data map should be used to inform a data protection impact assessment (DPIA). Schools are required to undertake a DPIA in the following circumstances:

  • When using new technologies
  • If the processing is likely to pose a high risk to the rights and freedoms of individuals

Access our model DPIA template here.

Additionally, a data map should assist schools when they’re completing an information asset register. Using this tool, a school can record how long the information needs to be retained, the location of the asset, the individual responsible for the asset, who is permitted to access the information and where the information will be published. As well as this, the tool highlights important information about the assets, such as whether it is a key asset and its data collection status.



DfE (2018) ‘Data protection: a toolkit for schools’

GDPRiS (2018) ‘GDPRiS MindMap – The School Data Eco-system Data Mapping’ <> [Accessed: 3 May 2018]

ICO (2018) ‘How do we document our processing activities?’ <> [Accessed: 3 May 2018]

IT governance (2017) ‘Conducting a data flow mapping exercise under the GDPR’

IT governance (2017) ‘Data flow mapping under the EU GDPR’ <> [Accessed: 3 May 2018]



Related terms: General data protection regulations, data ecosystems, data audit, flowchart.