Purpose

Data flow diagrams make data movement visible, helping identify where data is created, transformed, stored, and consumed. They are essential for security analysis, privacy impact assessments, and understanding system behaviour.

When to Use

Create during alpha when designing the data architecture. Essential for Data Protection Impact Assessments (DPIAs) and security threat modelling. Update when data flows change.

How to Build

Identify all data sources — where does data enter the system? This includes user input, API calls from external systems, file uploads, and scheduled data feeds.

Trace each data item through the system: where is it processed, transformed, enriched, or validated? Show each processing step as a bubble or process box.

Identify all data stores — databases, caches, file systems, message queues. Show which processes read from and write to each store.

Show data outputs — where does data leave the system? Reports, API responses, notifications, file exports, downstream system feeds.

Use consistent notation: external entities as rectangles, processes as circles/rounded rectangles, data stores as open-ended rectangles, and data flows as labelled arrows.

Tips

  • Start with a Level 0 (context) DFD showing the system as a single process, then decompose.
  • Label every data flow with what data it carries, not just that data flows.
  • Show data at rest (stores) and data in motion (flows) — both matter for security.
  • Highlight personal data flows for GDPR compliance and DPIA purposes.
  • Use levels of decomposition — Level 0, Level 1, Level 2 — to manage complexity.

Common Mistakes

  • Not labelling data flows, making it impossible to understand what data moves where.
  • Mixing control flow with data flow — DFDs show data movement, not program logic.
  • Forgetting data stores, showing data flowing between processes without persistence.
  • Not decomposing complex processes into sub-levels, resulting in cluttered diagrams.
  • Omitting error and exception data flows.

Government Context

In UK government, data flow diagrams are mandatory for Data Protection Impact Assessments (DPIAs) under UK GDPR. They help demonstrate compliance with data minimisation principles and identify where personal data crosses organisational boundaries. The ICO expects clear documentation of data flows for any service processing personal data. They also support the cross-government data ethics framework.

Related Artifacts