In order to meet its GDPR obligations, a global biotech company engaged Tueoris to conduct a mapping of processing activities based on relative processing/data risks. An initial risk-ranking exercise was conducted to identify in-scope processes, using privacy and data security risk criteria with associated numerical values to quantify results. Data maps were leveraged by the Privacy Office and the IT Department to create a Record of Processing Activities (GDPR Article 30) and data inventory, as well as to identify and implement privacy and security controls appropriate to the risks posed by the data types and processing activities.