# Personal Data Mapping (RoPA) Israel | Database Definition Documents > Professional personal-data mapping for Israeli organizations: discovery of every database, field documentation, database definition documents per the 2017 Security Regulations, RoPA tables per GDPR Article 30, sensitivity classification and vendor mapping. Foundation for every privacy project and gap analysis. **Canonical:** https://dpoisrael.com/en/services/data-mapping/ **Locale:** en-IL --- Foundation for everything. Professional **data mapping**: discovery of every personal-data asset, field/system documentation, **database definition documents** per 2017 Security Regulations, **RoPA** tables per GDPR Article 30, sensitivity classification, and vendor mapping. Without mapping — no real gap analysis, no Authority registration, no data-subject request handling, no security framework. With good mapping — everything is possible. ## Mapping — what you get - **Duration:** 3-14 weeks by size - **Purpose:** Full documentation of every personal-data asset - **Main deliverable:** RoPA + Database Definition Document per asset - **Standards:** 2017 Security Regulations + GDPR Art. 30 - **Extras:** Flow diagram, vendor matrix, rights matrix - **You provide:** One contact per department — we do the work - **Integrates with:** Gap analysis, DPO as a Service, Authority reg, DPIA - **Valid until:** Major change — usually 2 years ## Six stages — one database or two hundred 01 ### Discovery Interviews with every department. System and vendor lists, forms, spreadsheets. Discovery of "shadow databases" (Shadow IT, OneDrive Excels). 02 ### RoPA documentation Records of Processing Activities table per GDPR Article 30 — purpose, legal basis, data types, subjects, recipients, retention, security. 03 ### Database definition document For each relevant database — a document per the 2017 Security Regulations. Owner, security manager, security level, access controls. 04 ### Sensitivity classification Basic data, special-category data (Section 7), medical data, data on minors. Each classification triggers a corresponding security level. 05 ### Data-flow mapping Who receives the data? Where does it flow? Which vendors touch it? Cross-border transfers? Visualized in a flow diagram. 06 ### Authority registration integration When registration with the Authority is required — we perform it, including the registration fee (organization cost). ## What stays with you ### RoPA table Excel/Sheets with 12-15 columns per database. Standard format that works for both Amendment 13 and GDPR. ### Database definition document Separate document per relevant database, per 2017 Security Regulations. Required by owner and security manager. ### Data-flow diagram Who receives what, from whom, when. Visual — easy for non-technical management to understand. ### Vendor matrix Every vendor and which databases they touch. Foundation for [vendor privacy](/en/services/vendor-privacy). ### Data-subject rights matrix Where to find information when an access/correction/deletion request arrives. Saves hours on every request. ### Gap list Databases without documentation, missing critical fields. Feeds the gap analysis. ## Frequent questions about data mapping ### How long does mapping take? Depends on size. Small org (5-10 systems) — 3-4 weeks. Mid-size (20-50 systems) — 6-8 weeks. Large with 100+ systems or municipality — 10-14 weeks. ### Difference from gap analysis? Mapping **describes what exists**. [Gap analysis](/en/services/gap-analysis) **compares to legal requirements**. Mapping is the foundation. No real gap analysis is possible without mapping. ### We already have an Authority registration — is that enough? Good signal of awareness. But typically the registration is limited (3-5 databases) and doesn’t reflect the full organization. We produce a more complete mapping, and update Authority registration if needed. ### Does mapping include field-level analysis? Yes. We document the most sensitive fields per database — IDs, credit cards, medical data, data on minors. These drive required security levels and DPO obligation. ### Who do you need from us? One contact per department — manager, secretary, or "the person who knows the systems best". We lead, interview, document. Not your job to write the RoPA — that’s ours. ### When should we map? If you don’t have current database definition documents — now. If documents are from 2019 or earlier — now (Amendment 13 changed things). If the org went through restructuring, acquisition, or new system in the last 12 months — now. ## Ready to know what you actually have? Professional mapping, fully documented, yours to keep. [Book a call](/en/contact)