GDPR Role & Retention Mapper
Map GDPR data processing roles (Controller, Processor, Joint Controller), define data processing activities, calculate retention periods by data type and jurisdiction, select legal bases, assess pseudonymization needs, and generate Article 30 Records of Processing Activities.
Simplify Compliance
Navigate HIPAA, SOC 2, NIST, and other regulations with expert guidance.
What Is GDPR Role and Retention Mapping
The General Data Protection Regulation (GDPR) requires organizations to define clear data processing roles and implement retention policies that limit how long personal data is stored. Role mapping identifies whether each entity in your data processing chain is a Controller (determines purposes and means of processing), Processor (processes data on behalf of a Controller), or Joint Controller — each role carrying distinct legal obligations.
Retention mapping ensures that personal data is not kept longer than necessary for its stated purpose, a core principle of GDPR known as storage limitation (Article 5(1)(e)). Together, role and retention mapping form the operational backbone of GDPR compliance, answering two critical questions: who is responsible for this data, and how long can we keep it?
GDPR Roles Explained
| Role | Definition | Key Obligations | Example |
|---|---|---|---|
| Controller | Determines purposes and means of processing | Lawful basis, data subject rights, breach notification (72h), DPIA | Company using CRM to manage customer relationships |
| Processor | Processes personal data on behalf of Controller | Follow Controller instructions, security measures, breach notification to Controller | Cloud hosting provider storing customer database |
| Joint Controller | Two+ entities jointly determine purposes | Transparent arrangement defining responsibilities, single point of contact for data subjects | Two companies running a joint marketing campaign |
| Sub-Processor | Processor engaged by another Processor | Same obligations as Processor, Controller must approve engagement | CDN provider used by the cloud host |
Retention Period Guidelines
| Data Category | Typical Retention | Legal Basis |
|---|---|---|
| Customer transaction records | 6-7 years | Tax and accounting law |
| Employee records | Duration of employment + 6 years | Employment law, limitation periods |
| Marketing consent records | Until consent is withdrawn | GDPR Article 7 |
| Website analytics | 26 months (GA default) | Legitimate interest |
| CCTV footage | 30 days | Legitimate interest |
| Job application data | 6-12 months after decision | Legitimate interest for legal claims |
| Medical records | Varies by jurisdiction (often 10+ years) | Legal obligation |
Common Use Cases
- GDPR compliance audit: Map every personal data processing activity to a defined role (Controller/Processor) and documented retention period
- Data Processing Agreement (DPA) preparation: Identify all Processor relationships that require DPAs under Article 28, and define retention requirements in each agreement
- Records of Processing Activities (ROPA): Build the Article 30 register by documenting each processing activity with its role classification, purpose, retention period, and legal basis
- Data minimization implementation: Identify data stores where personal data is retained beyond its stated purpose and implement automated deletion
- Vendor assessment: Evaluate whether third-party vendors are correctly classified as Processors or Controllers and verify their retention practices align with your policies
Best Practices
- Document roles for every data flow — Map each personal data processing activity to a specific role. A single vendor might be a Controller for some data (their own analytics) and a Processor for other data (your customer records).
- Set specific retention periods, not indefinite — "As long as necessary" is not a valid retention policy. Define concrete timeframes based on legal requirements, business need, or data subject expectations.
- Automate deletion — Manual retention enforcement fails at scale. Implement automated data lifecycle management that flags or deletes data when its retention period expires.
- Review retention annually — Business needs and legal requirements change. Review retention schedules at least annually and after any significant change in processing activities.
- Include backups in retention scope — Backup copies of personal data are still personal data. Ensure backup retention aligns with your defined periods and that restoration processes account for deletion requests.
Frequently Asked Questions
Common questions about the GDPR Role & Retention Mapper
A data controller determines the purposes and means of processing personal data (decides why and how data is processed). A data processor processes data on behalf of the controller (follows the controller's instructions). Joint controllers occur when two or more entities jointly determine processing purposes. Each role has different obligations under GDPR.
Explore More Tools
Continue with these related tools
GDPR Checker
Assess GDPR compliance for your website including privacy policy, cookie consent, and data processing practices
Privacy Policy Generator
Generate a customized privacy policy for your website or app. Supports GDPR, CCPA, COPPA compliance with tailored sections for your data practices.
Data Classification Policy Architect
Design comprehensive data classification policies with government (TS/S/C/U) or commercial (Restricted/Confidential/Internal/Public) schemas. Define handling rules for storage, transmission, disposal, and access with compliance overlays for HIPAA, PCI-DSS, GDPR, and CMMC.
ℹ️ Disclaimer
This tool is provided for informational and educational purposes only. All processing happens entirely in your browser - no data is sent to or stored on our servers. While we strive for accuracy, we make no warranties about the completeness or reliability of results. Use at your own discretion.