GDPR Data Pipeline Audit — Mapping the Unmapped
Led a comprehensive GDPR data pipeline audit across 8 services, mapping all PII flows and eliminating 3 previously unknown storage points. Achieved full compliance and reduced DPA review time by 60%.
Challenge
Organisation processing EU customer data across 8 services with no documented data flow map or retention policies, exposing the company to significant regulatory risk.
Solution
Conducted a full data pipeline audit — mapped all PII flows, implemented retention policies, added consent management integration, and documented Data Protection Impact Assessments.
Result
Full GDPR compliance achieved, 3 previously unknown PII storage points eliminated, DPA review time reduced 60%.
The Problem
I was leading programme operations for a mid-size B2B SaaS company that had expanded into the European market 18 months earlier. The product processed personal data from EU customers — names, email addresses, usage behaviour, and in some cases payment information — across 8 interconnected microservices. The problem was that nobody had a complete picture of where that data actually lived.
There was no documented data flow map. Retention policies existed in a general privacy policy on the website but were not enforced technically. Consent management was handled inconsistently — some services checked consent flags, others did not. When the legal team was asked to complete a Data Protection Impact Assessment for a new feature, it took weeks because they had to interview engineers service by service to understand data flows. A new EU client had made GDPR compliance documentation a contractual requirement, creating urgency.
What I Did
I structured this as a four-phase programme: discover, map, remediate, and sustain.
In the discovery phase, I worked with engineering leads for each of the 8 services to identify every point where personal data was ingested, processed, stored, or transmitted. This involved reviewing code, database schemas, API contracts, logging configurations, and third-party integrations. The process uncovered 3 previously unknown PII storage points — a debug logging service that was capturing full request payloads including personal data, a legacy analytics pipeline that retained raw user events indefinitely, and a staging environment database that contained production customer data from a migration test.
In the mapping phase, I created a comprehensive data flow diagram documenting every PII touchpoint across the system. Each data element was classified by sensitivity, and the legal basis for processing was documented alongside it. This became the single source of truth for privacy-related decisions.
In the remediation phase, I led the implementation of technical retention policies — automated data deletion jobs aligned with the documented retention periods. The three rogue PII storage points were cleaned up and safeguards added to prevent recurrence. We integrated consent management consistently across all services using a centralised consent API. I also produced Data Protection Impact Assessments for the four highest-risk processing activities.
In the sustain phase, I established a privacy review checkpoint in the development workflow. Any new feature touching personal data required a lightweight privacy assessment before development began.
The Outcome
The organisation achieved full GDPR compliance, documented and verifiable. The 3 previously unknown PII storage points were eliminated, removing exposure that could have resulted in significant fines. DPA review time dropped by 60% because the data flow documentation made impact assessments straightforward rather than investigative. The EU client signed the contract after reviewing our compliance documentation. Most importantly, privacy became a design consideration rather than an afterthought — engineers started asking the right questions before building, not after.