We’ve compiled a list of 9 frequently asked questions (FAQs) about our Understanding Data Usage (UDU) service. These questions cover a wide range of topics, from why UDU is important for GDPR compliance to how it helps identify hidden data risks, improve AI outcomes, and reduce privacy-related threats. Whether you’re new to data mapping or looking to strengthen your organisation’s data protection framework, these answers will give you the insights needed to gain clarity, control, and confidence in how your data is managed.
1. What is UDU?
UDU stands for Understanding Data Usage. It is a service designed to help organisations gain a clear, visual understanding of how personal data is collected, used, shared, and stored across departments. UDU supports compliance with GDPR and other data protection regulations by identifying risks, improving transparency, and enabling better governance of data usage.
Our UDU service will also provide a tailored checklist of recommended actions for each in-scope department.
2. Why do organisations need UDU?
Many organisations struggle to:
- Track where data is collected and accessed
- Understand how data is shared internally and externally
- Ensure data is used only for its intended purpose
- Identify all third parties involved in data processing
- Maintain accurate and up-to-date Privacy Notices
- Meet transparency and accountability requirements
UDU addresses these challenges by providing a structured and visual approach to data usage analysis, and a recommended actions checklist for each in-scope department.
3. What outputs can we expect?
As part of the UDU engagement, you will receive a comprehensive set of deliverables designed to give you clarity, assurance, and actionable insights into your data usage practices. These include:
Visual UDU Diagrams
- Clear, department-specific diagrams showing how personal data is collected, used, shared, and stored
- Helps visualise data flows across internal teams and external parties
Recommended Actions Checklist (Per Department)
Each checklist includes tailored recommendations and observations, broken down into key areas:
Vendors
- A list of currently identified vendors and third parties
- Suggested controls, such as due diligence steps and contractual requirements
- Identification of the nature of the relationship (e.g. joint controller, processor)
Data Residency
- Identification of where data is hosted or managed, including third countries
- Transfer Impact Assessments (TIAs) where applicable
- Recommendations for appropriate safeguards (e.g. Standard Contractual Clauses)
Purpose of Processing & Lawful Basis
- A list of processing purposes and the recommended or determined lawful basis for each
- Evaluation of whether excessive data is being used
- Assessment of whether processing operations align with the original specified purposes
Controller Obligations & Data Subject Rights
- A list of applicable data subject rights (e.g. access, erasure, portability)
- Observations on whether these rights can be effectively fulfilled based on current practices
Compliance Obligations
- Identification of processing involving special category data or Article 10 data
- Recommendations for lawful exceptions under Article 9
- Identification of high-risk processing activities
- Guidance on conducting Preliminary Threshold Assessments (PTAs) and Data Protection Impact Assessments (DPIAs)
- Recommendations for data minimisation and appropriate use of sensitive data
- Suggestions for updates to existing documentation (e.g. Article 30 RoPA, Privacy Notices)
Gap Identification
Each section of the checklist includes a “Gaps Identified” subsection, highlighting:
- Missing vendor relationships or unknown vendor locations
- Unclear lawful bases or excessive data use
- Incomplete documentation or unaddressed high-risk activities
These outputs are designed to support your organisation in achieving and maintaining GDPR compliance, improving internal governance, and preparing for audits or regulatory enquiries.
4. What are the key benefits of UDU?
- Removes ambiguity around data usage
- Enhances cross-functional alignment on data protection
- Supports audits and regulatory enquiries
- Improves documentation (e.g. Privacy Notices, RoPAs, DPIAs)
- Strengthens third-party management and transfer assessments
- Reduces time to achieve results through expert-led delivery
- Improves AI project outcomes and governance
5. What documentation would you need access to undertake the UDU service?
No documentation is required in advance.
6. How long does the UDU process take?
Timelines vary based on scope and organisational complexity.
A typical engagement includes:
- Initial planning and discovery: 1–2 weeks
- Stakeholder engagement and documentation: 2–3 weeks
- Finalisation and delivery: 1 week
7. What does the UDU engagement process involve?
The UDU service follows a structured six-phase approach:
- Project Planning & Preparation
Kick-off call to align on scope, responsibilities, and timelines - Discovery Exercises
Identification of key stakeholders and departments in scope - Stakeholder Engagement
Distribution and collection of questionnaires; initial UDU diagram development - Document Data Usage
Clarification workshops; draft and finalise UDU diagrams and action checklists - Finalise UDU Deliverables
Final sign-off on diagrams; delivery of recommended actions checklists per department - Close
Findings call (if required); release of final deliverables and project closure
8. How do you define ‘departments’?
This can be viewed as areas of responsibility, we generally work in terms of 11 distinct departments (Customer Service, Marketing, DPO, Finance, HR, Information Security, IT, Legal, Operations, Sales, Procurement and Vendor Management), It may be the case that the structure of your company does not exactly match these departments, as we will tailor our UDU service to meet your requirements.
9. Does the UDU service take account of the GDPR and advise on compliance with this legislation?
We use the principles of the GDPR and relevant crucial requirements as the foundation for the UDU service.
UDU helps organisations:
- Identify lawful bases for processing
- Ensure data minimisation and purpose limitation
- Document data flows for Article 30 RoPA requirements
- Assess and safeguard international data transfers
- Define appropriate data retention periods
- Implement security controls aligned with Article 32 GDPR
- Maintain accurate Privacy Notices and DPIAs
This FAQ highlights that data protection is multifaceted and a framework will need to be created and maintained.
Should you have any further queries, please do not hesitate to contact us.
