Data Mapping Exercise

Today’s data breach landscape places organisations under increased pressure to demonstrate how they safe guardpersonally identifiable information and sensitive data.

However, in order to protect those assets, an organisation first needs to have a holistic view of its data footprint and the criticality of the information it holds.

NCC Group’s risk management experts will take you through a Data Mapping Exercise to identify, classify and discover the data in your organisation, providing pragmatic consultancy as they assess your data risk.


  • Independent validation of key data assets.
  • A foundation for targeted and prioritised risk assessment and treatment expenditure.
  • A practical and pragmatic output providing you a data asset tracker and an executive report.
  • A holistic view of the people, processes and technology of your data ecosystem.



Cyber-attacks and the resulting data breaches are an ever increasing risk, leading to the exposure of company, customer and employee sensitive data. Regulatory controls are geared towards regulation as opposed to risk based assessments, and failure to comply can result in high financial penalties.

Many organisations do not have the means or methods to identify and locate all of the data they hold to assess.

A Data Mapping Exercise presents a perfect opportunity for organisations to understand what and where their key data assets are and enables them to take a practical approach to prioritising remediation.


Phased Approach

Our Data Mapping Exercise consists of four phases:


This phase helps to define and understand the data types you hold within your organisation. Through a series of interviews and questionnaires with key staff we will identify its location, which business processes handle or store sensitive data and the data types in use.

  • What are your data categories - personal, financial, business operational or intellectual property
  • What are your data sub categories (or elements)? Name, address, DOB, financial records?
  • What format is it in? Emails, forms, letters, spreadsheets, application data or database records?
  • What is it used for and how is it processed?


This phase determines how sensitive the data is based upon the damage that would be caused due to a breach of its confidentiality, integrity and availability. The result of this phase will be a measurement of the data’s sensitivity rating, enabling the organisation to classify its data and define its protection requirements.

  • How sensitive is the data based on its confidentiality, integrity and availability?
  • If lost, does it cause damage to individuals, business operations, or company reputation?
  • Rate the data for its sensitivity and determine classification.


We will work together to discover where your data is stored and confirm who receives and processes it.

  • Where is the data stored or transmitted and to whom?
  • Is it on a local device, in a database, in an application, hosted in the cloud, or with a partner?


Once the other phases are complete, we will provide you with a data inventory matrix showing your data categories, location and sensitivity.

  • Generate a comprehensive sensitive data inventory matrix from the information gathered.
  • Accompanying report summarising the findings and a way forward, creating a platform for a phrase two risk assessment.


Key Questions

A Data Mapping Exercise project would be a suitable course of action if you are unable to answer any of the key questions below:

  • Do we know where our sensitive data assets are?
  • Do we know what type of data assets we have?
  • Do we know how sensitive and valuable our data assets are?
  • Do we know which business processes handle and store our sensitive data?
  • Are we managing the risks to personal data effectively in line with GDPR requirements?
  • Are we able to effectively report on our level of compliance?

If you have any doubt, our experts are available for a quick chat:


Contact us