Fintech Scaleup: Data mapping and risk assessment

  • Scale up logo

The Client is a European fintech scaleup specialising in business spend management.

As a fast-growing technology company processing personal data at scale across different departments (HR, IT, communications, marketing, procurement, etc.), the client relied on a large and evolving technology stack comprising 120+ third-party tools and platforms. Without a consolidated and structured overview of which tools process which categories of personal data, who within the organisation has access to which tool, and what data protection risks each tool presents, the client faced a significant compliance gap. A comprehensive data mapping exercise was needed to establish a reliable foundation for ongoing GDPR compliance and to inform future data protection work.

The European fintech scaleup commissioned AWO to conduct a comprehensive data mapping exercise across the entire technology stack, covering over 120 tools and platforms, to establish a structured overview of the categories of personal data processed activities and the data subjects it belong to, the team retaining ownership of the tool and those having access to it, and associated data protection risks.

  • Tools mapping and review.

    The AWO team collected data from existing client’s sources and reached out to stakeholders to scope out the perimeter of the tools to be reviewed. It then collected the publicly available legal documentation for each tool, including privacy notices, data processing addendums, terms of use, and subprocessor lists, and mapped the categories of personal data processed, the categories of data subjects affected, and the teams within the client's organisation with access to each tool.

  • Risk assessment.

    Each tool was assigned a data protection risk level (from very low to high) assessed against the obligations imposed on data controllers and processors under the GDPR (including Articles 5, 6, 25, 28, 32, and 44–49), with specific attention to data minimisation, international transfer mechanisms, and subprocessor arrangements.

  • Actionable outputs.

    The exercise produced a detailed data mapping spreadsheet and an accompanying methodology document, providing the client with a structured, reusable compliance asset. Each entry included a risk designation with recommended actions the client can take to mitigate identified gaps - ranging from unilateral adjustments to the consideration of alternative tool providers for higher-risk cases.

AWO's approach combined desk-based documental review with direct engagement with the client's procurement and IT leads, as well as a feedback process involving individual tool owners across the organisation. This collaborative method ensured that the final deliverable reflects both the legal reality as documented by tool providers and the operational reality of how tools are used within the client's business.

The resulting data mapping spreadsheet was designed to serve as a living compliance document to be maintained and updated as the client’s technology stack evolves. It provides the foundation for further data protection compliance work, including the prioritisation of remediation actions, the renegotiation of data processing agreements, and the conduct of data protection impact assessments, where required under Article 35 GDPR.

Get in touch. Send an email or book a call directly with our specialists.