cdpse-d3-data-purpose-data-flow-and-usage-diagrams

Data Flow and Usage Diagrams

isaca-cdpse · framework · Production-ready

Drawn fromCDPSE Review Manual · ISACA peer-reviewed case sets·Reviewed May 5, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is Data Flow and Usage Diagrams

Data Flow and Usage Diagrams (DFUDs) are structured visual artifacts that map how personal and sensitive data moves through an organization's systems, processes, and external boundaries — documenting not just the path of data, but the purpose of each movement, the transformations it undergoes, the parties that handle it, and the controls governing its use. A Data Flow Diagram (DFD) charts technical movement: where data originates (sources), how it is processed (transforms), where it persists (data stores), and where it exits (external entities). A Data Usage Diagram extends this by layering in business context: the stated purpose for each flow, applicable retention periods, legal basis for processing, and access control constraints. Together they form the documentary backbone of a privacy governance program — translating invisible data operations into an auditable, shareable artifact. They are NOT: (1) network topology diagrams — they map data movement, not infrastructure; (2) entity-relationship diagrams — they map flows, not schema; (3) standalone process flowcharts — they must include data stores and external entities; (4) one-time compliance deliverables — they are living documents requiring active maintenance.

Where it stops · what it isn't

—DFDs map data movement and purpose — they do not replace data models, system architecture diagrams, or network maps, though they complement all three
—Data usage diagrams extend DFDs with business context (purpose, legal basis, retention) — they are not substitutes for full Privacy Impact Assessments or DPIAs, though they serve as their visual foundation
—Scope is bounded by the data subject population and regulatory perimeter being documented — a DFD scoped for GDPR compliance will differ from one scoped for HIPAA or PCI-DSS
—DFDs document intended controls, not validated ones — separate assurance activities are required to confirm that documented controls are operating effectively
—Automated data lineage tools and catalog metadata are inputs that populate or validate DFDs, not substitutes for the diagram itself

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

PART OF

Data Lifecycle Management — Data Purpose (ISACA CDPSE Domain 3)

REQUIRES

Data Classification and Inventory

ENABLES

Privacy Impact Assessment (PIA) / Data Protection Impact Assessment (DPIA)Purpose Limitation Compliance (GDPR Art. 5(1)(b), CCPA)Third-Party and Vendor Risk ManagementIncident Response and Breach Scope Identification

RELATED TO

Data Retention and Deletion SchedulesData Subject Rights Fulfillment (Access, Erasure, Portability)

CONSTRAINS

Data Minimization and Purpose Limitation Controls

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.