How to map software privacy in your company? Complete guide in 5 steps

Why does your company need software privacy mapping?

With each new software contract, your company assumes privacy commitments. But do you know exactly which applications are active, who the internal owners are, what personal data each one processes, and what risks they represent?

Corporate privacy mapping is much more than a list of tools. It's a living inventory that organizes responsibilities between Procurement, IT, Compliance, and Legal, supports contracts, RFIs and audits, and reduces surprises in renewals or policy and terms changes.

This guide shows how to start, what to collect, and how to keep your mapping updated to transform it into a strategic governance asset.

What is software privacy mapping?

Software privacy mapping is a structured registry that documents:

• Which software the company uses
• Who are the internal owners of each application (requesting areas and approvers)
• What is the purpose of each tool in the business
• What personal data is processed
• What privacy risks each application presents
• Contractual status and renewal dates

Unlike a traditional IT inventory (focused on licenses and infrastructure), privacy mapping puts personal data and compliance at the center of decision-making, connecting areas that normally work in silos.

How does privacy mapping reduce corporate risks?

Organizes responsibilities between areas

Without clear mapping, it's common to see:

• IT discovering software only when the invoice arrives
• Legal being called for opinions on the eve of contracting
• Procurement negotiating contracts without knowing which privacy clauses to require
• DPOs without visibility on vendors that process sensitive data

Mapping establishes clear owners for each tool and defines when each area should be involved in the evaluation process.

Supports contracts and RFIs

With a structured inventory, you:

• Identify gaps in privacy clauses before signing
• Compare vendors objectively in RFP processes
• Document decisions in an auditable way for regulators and internal audits
• Prioritize contractual reviews based on real risk

Avoids surprises in renewals

Corporate software frequently changes their privacy policies. An updated mapping allows:

• Monitoring changes that impact contractual commitments
• Anticipating critical renewals with sufficient time for renegotiation
• Identifying vendors that accumulate security incidents
• Reassessing risks when there are mergers, acquisitions, or controller changes

What information to collect in privacy mapping?

Basic software data

Name and category

• Commercial name of the application
• Functional category (CRM, HR, Analytics, Communication, etc.)
• Official URL and privacy documentation

Vendor

• Corporate name and country of origin
• Relevant corporate structure (controller, subprocessors)
• Security and privacy certifications (ISO 27001, SOC 2, etc.)

Internal governance information

Owners and responsible parties

• Requesting area (Marketing, HR, Sales, etc.)
• Executive sponsor (who approved the budget)
• Technical administrator (who manages access and integrations)
• Privacy responsible (who responds to incidents)

Purposes and use

• What the software is used for
• How many active users
• Integrations with other corporate systems
• Whether it processes external customer data or only employee data

Privacy and risk data

Types of data processed

• Simple personal data (name, email, phone)
• Sensitive data (health, racial origin, beliefs, biometrics)
• Minor data
• Financial or payment data

Legal basis and consent

• Which legal basis supports processing (LGPD Art. 7)
• Whether there is consent collection from data subjects
• Data subject rights implemented (access, correction, deletion)

International transfers

• Whether there is transfer outside Brazil
• Which countries receive the data
• Protection mechanisms (contractual clauses, adequacy)

AI use and automated decisions

• Whether the software uses artificial intelligence
• Whether there are automated decisions that impact data subjects (LGPD Art. 20)
• Possibility of human review and right to explanation

Contractual information

Status and validity

• Contract start date
• Renewal or termination date
• Annual value and licensing model
• Negotiated privacy clauses

Evaluations and audits

• Privacy risk score (if applicable)
• Date of last due diligence assessment
• Pending issues or non-conformities identified
• Action plan and deadlines

How to start privacy mapping in 5 steps?

Step 1: Define scope and prioritization

Don't try to map everything at once. Start with:

• Critical software that processes sensitive data (HR, health, financial)
• Tools with the highest volume of personal data (CRM, email platforms)
• Applications with a history of incidents or frequent policy changes
• Renewals in the next 90 days

Step 2: Involve the right areas from the beginning

Set up a working group with representatives from:

• Procurement (owners of vendor relationships)
• IT/Security (technical visibility and integrations)
• Legal/Compliance (contract and legal risk analysis)
• DPO/Privacy (LGPD and personal data expertise)

Define clear roles: who collects, who validates, who keeps updated.

Step 3: Choose the registration tool

Mapping can start simple (spreadsheet) but should evolve as it scales:

Spreadsheet (up to 50 software)

• Good for quick start
• Access control and history limitations
• Risk of outdated versions circulating

GRC system (50-500 software)

• Better workflow and approval control
• Integration with other compliance layers
• Requires platform investment

Specialized platform (500+ software or high risk)

• Continuous monitoring of policies and incidents
• Automated privacy analyses (e.g., AITS - AI Trust Score from TrustThis.org)
• Benchmarks by category and change alerts

Step 4: Standardize information collection

Create RFI (Request for Information) templates with essential privacy questions:

• Where is data stored (country, region, cloud)?
• Are there subprocessors? Which ones and where do they operate?
• What is the personal data retention period?
• How does the data subject exercise their rights (access, deletion)?
• Does the software use AI? For what purposes?
• Have there been security incidents in the last 24 months?

Use the same structure for all vendors, facilitating objective comparisons.

Step 5: Integrate mapping into existing processes

Mapping only generates value if used in day-to-day decisions:

In new request intake

• New software requests go through privacy screening
• Score or preliminary analysis is attached to the approval process

In contractual renewals

• 60-90 days before expiration, Procurement receives updated report
• Policy changes or incidents are considered in renegotiation

In audits and inspections

• Mapping serves as evidence of structured governance
• Assessment history demonstrates continuous due diligence

How to keep privacy mapping updated?

Establish review routines

Continuous review (automatic when possible)

• Monitoring changes in privacy policies
• Alerts about public security incidents
• Notifications about certification expirations

Quarterly review

• Validation of owners and responsible parties (area changes)
• Update of data volumes and integrations
• Risk score review

Complete annual review

• Recertification of purposes and legal bases
• Audit of contracts and privacy clauses
• Benchmark with competitors and market best practices

Automate what's possible

Specialized tools can:

• Track privacy policy versions over time
• Identify relevant changes in terms and conditions
• Generate alerts about publicly reported incidents
• Compare vendors using standardized criteria (e.g., AITS index)

This frees your Compliance team to focus on strategic analyses, not manual data collection.

Connect mapping to other management layers

The privacy inventory should dialogue with:

• Corporate risk management (ERM)
• IT asset control (CMDB)
• Contract management (CLM)
• Record of processing activities (ROPA for LGPD/GDPR)

This integration avoids rework and ensures critical information flows between areas.

What mistakes to avoid in privacy mapping?

Treating mapping as a one-time project

Privacy is not "do it and forget it". Vendors change policies, new risks emerge, contracts expire. An outdated mapping is worse than having no mapping, as it creates a false sense of control.

Focusing only on legal compliance

Yes, complying with LGPD is mandatory. But mapping should also support business decisions: which vendor offers the best cost-benefit considering risk? Where is there opportunity to consolidate tools and reduce attack surface?

Overloading the process with bureaucracy

If each new tool takes weeks to be approved, business areas will bypass the process (shadow IT). Seek balance: quick screening for low risk, in-depth analysis for sensitive data.

Not involving Procurement from the start

Procurement has the commercial relationship with vendors and contractual negotiation power. If Legal/Compliance only enters after signing, there's little room to demand better clauses.

How does AITS accelerate privacy mapping?

Building and maintaining corporate privacy mapping manually is costly in time and resources. This is where standardized indices like AITS (AI Trust Score) from TrustThis make a difference.

Initial screening in minutes

Instead of reading dozens of pages of privacy policies for each vendor, you get an objective score based on 90+ transparency criteria, including:

• Data collection and retention practices
• AI governance and automated decisions
• International transfers and subprocessors
• Data subject rights and contact channels

Structured comparison between vendors

AITS allows benchmarking by category (CRM, HR, AI Chat, etc.), facilitating objective choices in RFP processes. You compare communication transparency, identify red flags, and prioritize in-depth due diligence where there's higher risk.

Continuous monitoring of changes

Privacy policies change frequently. AITS monitors versions over time and alerts about relevant changes, allowing you to reassess vendors before contractual renewals.

Auditable evidence

Each AITS analysis comes with references to public sources (URLs, dates, versions), generating defensible documentation for internal audits and regulatory inspections.

Transform your mapping into strategic advantage

A well-structured privacy mapping goes beyond compliance: it accelerates purchasing decisions, reduces governance costs, and strengthens your company's position in contractual negotiations.

Start today with reduced scope, prioritize critical software, and establish update routines. Use tools that automate repetitive work, freeing your team for high-value analyses.

And remember: the first mapping is the hardest. Once the structure is in place and processes are integrated, maintenance becomes a natural part of operations — and your company starts making software decisions with speed and confidence.

Want to quickly assess the privacy of software your company uses? Learn about AITS (AI Trust Score) from TrustThis and get ready-made analyses of thousands of tools, with standardized scores, benchmarks by category, and continuous monitoring of changes.

SUPPORT MATERIALS FOR PRIVACY MAPPING IMPLEMENTATION

To help your team implement software privacy mapping in a structured way, we've prepared three practical visual resources that you can print, share with your team, or use in presentations for stakeholders:

5-Stage Mapping Flowchart – Step-by-step diagram showing the complete sequence from scope definition to integration with existing processes, with clear guidance on what to do at each phase.

2x2 Prioritization Matrix – Visual tool to classify software by data volume and sensitivity, allowing quick identification of which applications should be mapped first and where to concentrate governance resources.

Metrics Dashboard – Example control panel with key indicators (KPIs) to monitor your inventory's evolution, including distribution by category, risk scores, and contractual renewal alerts.

These materials follow the methodology presented in the article and can be adapted to your organization's reality.