We will map the personal data in your Organisation or Legal Practice

The vast majority of organisations have not adequately mapped all of their personal data.

As such, they are non-compliant with Article 30 the GDPR. (There's an excerpt from Article 30 at the bottom of this page.)

Irrespective of the size of your organisation: You must know precisely what personal data you hold or process, why you are processing it, who has access to it, how long you’re going to keep it, and what measures you have in place to protect it.

Also, handing breaches, dealing with Data Subject Access Requests and issuing Privacy Notices is far easier when your data has been comprehensively mapped.


Hours lost mapping HORIZONTAL b

Your time is precious.

Dozens of legal Practices have saved themselves a lot of time by instructing us to map their data for them, on a fixed fee basis.

We have provided them with a new Information Asset Register similar to the one shown on this page.

So, just how big is this? What personal data might a small ‘typical’ high street legal Practice process?

Law firm data types infographic

In fact, the scale of the challenge (and for many, the non-compliance) is huge; as is the risk.

The Information Asset Register below records the personal data, in a manner compliant with Article 30 of the GDPR,  of a small legal Practice.

Sample IAR

For such a complex task, PDA makes the process remarkably simple

IAR infographic


Please get in touch with us to find out more.



Article 30 of the GDPR makes clear as to the requirements of all organisations that hold personal data:

“Each controller and, were applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information…

b) the purposes of the processing;

c) a description of the categories of data subjects and of the categories of personal data;

d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;

f) where possible, the envisaged time limits for erasure of the different categories of data;

g) where possible, a general description of the technical and organisational security measures…”