Data Mapping

Automated scanning, vendor detection, and ROPA generation with DPOKit.

3 min read

Data Mapping

DPOKit's data mapping module scans your site for third-party data flows and builds a living Record of Processing Activities (ROPA) that satisfies Article 30 GDPR requirements.

Data map overview screen showing detected vendors, their purposes, and legal bases

How scanning works

On activation, DPOKit schedules an initial scan. Scans can also be triggered manually or on a configurable schedule (daily / weekly).

The scanner:

  1. Crawls all published pages and posts
  2. Detects <script> tags, <iframe> elements, pixel images, and fetch/XHR calls to third-party domains
  3. Identifies cookies set by each resource and classifies them by type
  4. Detects GTM containers and enumerates the tags and triggers within them
  5. Flags form action endpoints that post data to off-site URLs

Scanner progress screen showing crawled pages and detected third-party resources

Detected vendor table

Each detected resource maps to a vendor entry containing:

  • Vendor name — matched against the built-in vendor library (Google, Meta, Stripe, etc.)
  • Purpose — pre-filled from the library; editable
  • Data categories — e.g. device identifiers, IP address, browsing behaviour
  • Legal basis — consent / legitimate interest / contract / legal obligation
  • Retention period — how long the vendor retains data

Vendor library

DPOKit ships with a library of 100+ common vendors with pre-filled descriptions. Administrators can:

  • Add custom vendor entries
  • Override any pre-filled field
  • Mark a vendor as approved (appears on data map) or under review

Vendor library showing pre-filled entries for Google Analytics, Meta Pixel, Stripe, and others

Manual data flows

Server-side integrations (e.g. sending order data to an ERP via a background job) are not detectable by client-side scanning. Add them manually:

  1. Go to Data Map → Add Manual Flow.
  2. Enter the vendor, purpose, data categories, legal basis, and retention period.
  3. Save — the flow appears on your data map and ROPA export.

Registering a data flow via code

Plugin authors can register data flows programmatically using the pv_data_map_flows filter:

add_filter( 'pv_data_map_flows', function( $flows ) {
    $flows[] = [
        'vendor'       => 'My ERP',
        'purpose'      => 'Order fulfilment',
        'categories'   => [ 'name', 'address', 'order_items' ],
        'legal_basis'  => 'contract',
        'retention'    => '7 years',
        'direction'    => 'outbound',      // 'inbound' | 'outbound' | 'both'
        'mechanism'    => 'server-side',   // 'client-side' | 'server-side'
    ];
    return $flows;
} );

Extending the vendor library

Add a custom vendor to the built-in library:

add_filter( 'pv_vendor_library', function( $vendors ) {
    $vendors['my_erp'] = [
        'name'         => 'My ERP',
        'website'      => 'https://myerp.example.com',
        'purpose'      => 'Order management and fulfilment',
        'categories'   => [ 'name', 'email', 'address', 'order_data' ],
        'privacy_url'  => 'https://myerp.example.com/privacy',
    ];
    return $vendors;
} );

Exporting the ROPA

Go to Data Map → Export and choose:

  • PDF — formatted for legal review, includes all mandatory Article 30 fields
  • CSV — structured data for import into compliance tools
  • Word (.docx) — editable draft for your DPA or legal team

All exports are timestamped. Previous exports are archived for 12 months.

ROPA export dialog showing PDF, CSV, and Word format options

Data map change history

Every change to the data map (new detection, manual edit, approval) is logged with a timestamp and the WordPress user who made the change. View the history at Data Map → History.