Skip to main content

Steps to GDPR Compliance: Data Mapping

Post number 2/12 in HireRight's "Steps to GDPR Compliance" blog series looks at data maps, why they will be important under the GDPR, and the steps HireRight has taken to support its customers with their data mapping efforts.

July 6, 2017
Caroline Smith, VP Deputy General Counsel, International at HireRight

Step 2 – Data Mapping

Follow the yellow brick road

Why data map?

Data mapping should be a key element in any organisation’s compliance strategy, including any pre-employment screening policy.

The prospective employer (data controller) can face questions from its candidate base about where their personal data is being sent and how it is used. When a data mapping exercise is successfully undertaken, the prospective employer can answer questions with confidence and provide the right level of comfort to candidates during what can be a stressful time. Knowing where data is being sent and how it is used, and being transparent with respect to data mapping, also reduces the risk of any claims of unauthorised handling of personal information. 

How to data map

What are some of the key questions that the prospective employer should ask itself?

  • What type of data is collected? Is any data sensitive personal information?

  • Who is collecting or using that data and is that data sent to any third party?

  • If data is sent to a third party, where is that third party located? Is the data normally hosted in that country?

  • When and how is the data collected and used, and for how long is that data retained?

  • For what purpose is the data collected and used?

How does HireRight support a data controller’s data mapping efforts?

In order to support and align with the prospective employer, a service provider should itself have gone through a data mapping exercise, in particular in respect to its vendor networks that assist in delivering local pre-employment checks. 

Type of data: HireRight’s clients choose the level of screening performed by HireRight, and thus, the type of data collected, as set out in the relevant contract schedule of fees.

Who collects data, and third parties: the HireRight system has transparency at its heart. Supporting documents such as consent forms (discussed in detail in Step 1) set out who collects candidate data, on behalf of whom, and where that data may be sent.

Location of third parties: the global nature of the candidate marketplace requires global screening support via a network of third-party sources and vendors. HireRight maintains a network of such third-party sources and vendors, who are subject to HireRight’s data mapping exercise so that HireRight can understand where data is sent, to whom, and how it is stored. Vendor management in preparation for GDPR compliance will be a topic of future blogs, so watch this space.

When, how, and how long: this information is available to the candidate via information notices. Collection and processing occur only once consent is obtained by, or on behalf of, the prospective employer, and data is retained in accordance with specific client instructions.

What purpose: pre-employment screening only – this information is again available and clearly set out for the candidate, and it is made clear that data is not used, stored, or processed for any other purpose than to fulfil the services.

Other benefits of data mapping

Whilst data mapping can be a significant undertaking for many organisations and requires the buy-in of key stakeholders, there are other benefits to data mapping, beyond candidate care:

GDPR: data mapping will help with compliance with a number of key elements of the GDPR such as:

  • Maintaining detailed records of data processing activities.

  • Having available records to present to any supervisory authority.

  • Showing accountability i.e. demonstrating that processing activities are performed in compliance with the GDPR.

  • Evidence that an organisation considers data protection by design and by default.


  • Potential for improved efficiencies of business processes and IT systems by streamlining data flows.

  • Mitigation of risk of data breach (as mentioned above).

  • Maintaining records allows an organisation to respond quickly to discovery requests and consequently reduces related costs.

  • Assists with record retention requirements/policies.


Data mapping is an essential piece of any organisation’s compliance programme and assists in supporting pre-employment screening policies and candidate engagement. On top of this, there are added benefits relating to GDPR compliance and general efficiencies.

In other words, a commitment to data mapping really could result in finding the Emerald City at the end of the yellow brick road!

Release Date: July 6, 2017

Caroline Smith profile image

Caroline Smith

Caroline is a UK qualified lawyer with over 18 years’ experience and currently serves as HireRight’s Deputy General Counsel for the EMEA and APAC regions. When not “lawyering” or writing blogs, Caroline can be found striking yoga poses in remote locations such as Mongolia and Bhutan.