Advisory & Data Protection
See exactly how personal data moves through your business — visual data-flow diagrams and per-department action checklists, delivered by privacy experts.
You can't protect data you can't see. Most organisations genuinely don't know where personal data is collected, how it's shared internally and externally, or which third parties touch it — which makes GDPR principles like purpose limitation, data minimisation and transparency impossible to evidence. Blackfoot's Understanding Data Usage (UDU) service is a structured data mapping exercise that fixes that.
Working department by department, we map how personal data is collected, used, shared and stored across your business, and turn the findings into clear, visual UDU diagrams. Alongside each diagram comes a tailored recommended-actions checklist covering vendors and their roles, data residency and transfer safeguards, purposes and lawful bases, data subject rights, and compliance obligations — with gaps explicitly identified in every section.
The outputs work hard. They feed directly into your Article 30 ROPA and privacy notices, support Transfer Impact Assessments and DPIA decisions, strengthen third-party management, and give auditors and regulators the transparency they ask for. Because the GDPR's principles and requirements are the foundation of the service, every recommendation traces back to something you're actually obliged to do.
It's also become the natural starting point for AI governance. As AI adoption grows, poor data quality, unclear consent and exposure of sensitive data create real regulatory and reputational risk — biased models and compliance failures both start with data nobody mapped. UDU gives you visibility and control over what data feeds AI systems before problems arise, improving outcomes as well as compliance.
The engagement is deliberately light on your team: no documentation is needed in advance, a typical engagement runs four to six weeks, and our experienced practitioners drive the work through a structured six-phase process. Many clients pair UDU with our Data Protection Assessment and ROPA service, or hand the findings to their Blackfoot external DPO to action.
Department-specific diagrams showing how personal data is collected, used, shared and stored — across internal teams and external parties.
Tailored recommendations covering vendors, data residency, lawful bases, subject rights and compliance obligations, with gaps explicitly flagged.
Unknown vendor relationships, unclear lawful bases, excessive data use and undocumented high-risk processing revealed before a regulator finds them.
Outputs feed straight into your ROPA, privacy notices, DPIAs and transfer assessments — one exercise, many artefacts strengthened.
Visibility of the data feeding AI systems, so quality, consent and sensitive-data issues are managed before they bite.
No advance documentation required and a typical four-to-six-week engagement, driven by experienced practitioners rather than your team's spare time.
A kick-off call aligns scope, responsibilities and timelines, with initial planning and discovery typically taking one to two weeks.
Discovery exercises identify the key stakeholders and departments in scope — typically across eleven areas of responsibility, tailored to your structure.
Questionnaires are distributed and collected, and initial UDU diagram development begins from the responses.
Clarification workshops refine the picture; draft diagrams and per-department action checklists are developed and validated.
Final diagrams are signed off and checklists delivered, with a findings call if required — insight your compliance programme can act on immediately.
Straight answers to what prospective clients ask us most.
UDU stands for Understanding Data Usage: a service that gives organisations a clear, visual understanding of how personal data is collected, used, shared and stored across departments. It supports GDPR compliance by identifying risks, improving transparency and enabling better governance of data usage — including a tailored checklist of recommended actions for each in-scope department.
Because most can't reliably track where data is collected, how it's shared, whether it's used only for its intended purpose, or which third parties process it. UDU addresses those challenges with a structured, visual analysis and a recommended-actions checklist per department.
Visual, department-specific UDU diagrams of your data flows, plus per-department checklists covering vendors, data residency and transfers, purposes and lawful bases, data subject rights and compliance obligations. Each section includes a gaps-identified summary highlighting missing vendor relationships, unclear lawful bases and undocumented high-risk activities.
No documentation is required in advance. A typical engagement runs about four to six weeks: one to two weeks of planning and discovery, two to three weeks of stakeholder engagement and documentation, and a final week for delivery.
Yes — GDPR principles are the foundation of the service. UDU helps identify lawful bases, ensure data minimisation and purpose limitation, document flows for Article 30 ROPA requirements, assess international transfers, define retention periods and align security controls with Article 32.
As areas of responsibility. We generally work across eleven distinct departments — including HR, Finance, Marketing, IT, Legal, Operations, Sales and procurement functions — but the model is tailored to match how your organisation is actually structured.
Get a fixed-scope quote, usually the same working day.