GDPR Art. 30 requires controllers to maintain Records of Processing Activities (ROPA), and a data flow register is the practical implementation of that requirement. ISO-27001:2022 A.5.9 requires an inventory of information assets; NIST SP 800-53 PM-5 requires an information system inventory. Without a register, it is impossible to answer a supervisory authority's first question during an audit: "What personal data do you process and where does it go?" It is also impossible to identify the correct third-party contacts when a breach occurs, scope a deletion request accurately, or assess the impact of adding a new integration. The register is the foundation that makes all other data protection controls auditable.
Info because the register is a documentation control rather than a direct attack surface, but its absence makes every other privacy control harder to verify and audit.
Create a data register in docs/data-register.md or a shared spreadsheet. A structured table covering all data types, sources, storage locations, processors, and retention periods satisfies the GDPR Art. 30 ROPA obligation.
Data Register:
| Data Type | Source | Storage | Processing | Recipients | Retention |
|---------------|---------------|-----------------|------------------|--------------------|----------|
| Email | Signup form | users table | Auth, comms | SendGrid (email) | Until del |
| Usage events | App telemetry | events table | Analytics | None | 26 months |
| IP address | Web requests | Server logs | Fraud detection | None | 90 days |
| Payment info | Checkout | Not stored | Fwd to Stripe | Stripe | Never |
| Session token | Auth flow | cookies/DB | Session auth | None | Session |
Update the register whenever you add a new form field, third-party integration, or data processing feature. Link it from your README and privacy policy.
ID: data-protection.compliance-documentation.data-flow-register
Severity: info
What to look for: Enumerate every relevant item. Look for a data flow diagram, data inventory, or data register document. It may live in docs/, as a Miro or Lucidchart link in the README, a Notion page, or a spreadsheet. A data flow register should map all personal data: what types are collected, where they originate (forms, APIs, third parties), where they are stored (which database tables), what processing occurs, and who they are shared with. It should be kept current as new features and integrations are added.
Pass criteria: At least 1 of the following conditions is met. A data flow diagram or register exists and is reasonably current (updated within the last 6 months or upon each major feature addition). It identifies all major data types, their sources, storage locations, processing steps, and external recipients.
Fail criteria: No data flow documentation of any kind. Or a template document that was never filled in.
Skip (N/A) when: Application has minimal data handling — a single collection point, a single storage location, and a single recipient — where a diagram adds no value beyond what the privacy policy states.
Detail on fail: Example: "No data flow documentation found. Data movement through the system (collection points, storage, third-party sinks) is undocumented.".
Remediation: Create a data register. A spreadsheet is sufficient — a formal diagram is not required:
Data Register (maintain as a spreadsheet or Notion table):
| Data Type | Source | Storage | Processing | Recipients | Retention |
|-----------------|----------------|-------------------|-------------------|------------------|-----------|
| Email address | Signup form | users table | Auth, comms | SendGrid (email) | Until del |
| Display name | Signup form | users table | Display in UI | None | Until del |
| Usage events | App telemetry | events table | Analytics display | None (no export) | 26 months |
| IP address | Web requests | Server logs | Fraud detection | None | 90 days |
| Payment intent | Checkout | Not stored (fwd) | Forwarded to Stripe | Stripe | Never* |
| Session token | Auth flow | cookies table | Session auth | None | Session |
* Payment card data never touches your servers — handled entirely by Stripe.
Update this register whenever you add a new form field, third-party integration, or data processing step.