The Tool That Predates Every Privacy Law — and May Just Outlive Them All
A story about engineers, regulators, and a humble diagram that keeps showing up at the right time.
It's the 1970s. There are no privacy laws. No GDPR. No data protection authorities. No DPIAs. The word "compliance" isn't keeping anyone up at night.
But in software engineering circles, someone is drawing boxes and arrows on paper.
Input. Process. Output. External entity. Data store. Lines with little arrows showing where data flows, where it gets transformed, where it gets stored. Simple. Functional. Quietly powerful.
They called it a Data Flow Diagram. A DFD.
Nobody built it for privacy. Nobody built it for governance. It was just a tool engineers used to understand what a system actually does with data.
Then privacy teams quietly borrowed it.
Fast-forward to the 1990s. Privacy laws start appearing. The EU Data Protection Directive arrives in 1995. Suddenly, organisations need to answer a question they'd never thought to ask before: where does personal data go inside our systems?
Privacy professionals needed a map. And someone, somewhere, looked at the DFD and thought: this already does what we need.
So they inherited it. GDPR cemented this in 2018 — Articles 13, 14, 30, 35 all assume, implicitly, that you know how data flows. Your Record of Processing Activities (RoPA) is basically a formalised DFD. Your Data Protection Impact Assessment starts with a data flow. The logical layer of a DFD — what data, for what purpose, under which lawful basis, with what retention — became the backbone of privacy operations.
Data minimisation? You need the flow to know if you're collecting more than you need.
Purpose limitation? You need the flow to know if data is being used beyond its original intent.
Cross-border transfers? You need the physical flow to know if data is leaving the EEA, and where exactly it's landing.
The humble DFD had found a second home.
Then AI governance teams discovered they needed one too.
Here's where it gets interesting.
The EU AI Act is now in force. AI risk assessments are becoming mandatory. Conformity checks, transparency obligations, human oversight requirements — all of it assumes you can describe what your AI system does with data. Input. Output. Model behaviour. Decision-making logic. Human intervention points.
Sound familiar?
Because an AI system is, at its core, a very sophisticated data flow. Data comes in. It gets processed — sometimes in ways that are genuinely difficult to explain. Outputs are produced. Decisions get made. And somewhere in that chain, a person's life might be affected.
The EU AI Act cares deeply about that chain. And the only way to document it, review it, audit it — is to draw it.
The DFD has found a third home.
Three layers. One picture.
Here's what I find genuinely elegant about this.
A well-drawn DFD actually operates on three levels simultaneously — and each level maps to a different regulatory lens:
The logical layer
Answers: what data is being processed, transformed, and for what purpose? This is your GDPR layer. Lawful basis. Data minimisation. Purpose limitation. If your DFD shows customer email addresses flowing into a model that generates marketing propensity scores, your logical layer immediately surfaces the question: what's the lawful basis for this? Has the purpose been disclosed?
The physical layer
Answers: where is data actually travelling? Cloud regions. API endpoints. Third-party vendors. Sub-processors. This is where your cross-border transfer risk lives. Your physical DFD is what tells you that the data left India, passed through a US-based cloud provider, and was processed on servers in Ireland — and whether you have the right legal mechanisms in place for each hop.
The contextual layer
Answers: why is data moving, and in service of what human decision? This is the AI governance layer. What is the business intent? What outcome is the AI system trying to produce? Who is affected? Is a human in the loop, or is the system fully automated? This is exactly where EU AI Act conformity checks need to begin.
Three questions. Three layers. One diagram.
The problem is we've been doing this in silos.
Most organisations today run DPIAs and AI risk assessments as separate processes. Different teams. Different templates. Different timelines. Different outcomes.
The DPIA team maps the data flow for privacy purposes. The AI governance team does a separate risk assessment for the model. Neither has full visibility into the other's picture. And somewhere in between, the real risks — the ones that live at the intersection of data misuse and automated decision-making — slip through the cracks.
A well-drawn, three-layer DFD collapses this.
You map the data once, properly. You capture the logical flow, the physical journey, and the contextual intent. And suddenly, your DPIA and your AI conformity check are drawing from the same source of truth. The same artefact can answer the regulator's question and the auditor's question and the engineer's question.
That's not just efficiency. That's governance that actually works.
Why this matters right now..
Here in India, the Digital Personal Data Protection Act is now being operationalised. Significant Data Fiduciaries will soon have enhanced obligations — and the DPDPA's structure, with its twin test of lawful purpose and lawful ground, makes the logical layer of a DFD even more essential. You can't demonstrate that you've satisfied both layers of the test without knowing exactly what's happening to data at every stage.
Meanwhile, organisations building or deploying AI systems need to start their conformity documentation somewhere. The EU AI Act's Annex IV technical documentation requirements are essentially asking for a structured DFD with risk annotations.
The engineers who drew those boxes and arrows in the 1970s had no idea they were building the foundation for modern privacy and AI governance. But here we are.
You can't govern what you can't see.
That's the oldest truth in this field.
You can't assess what you haven't mapped. You can't manage risks you haven't traced to their source. You can't demonstrate compliance with data you can't account for.
The Data Flow Diagram is not a flashy new framework. It doesn't have a catchy acronym. Nobody's selling a certification in it. But it is, quietly, the most foundational tool in the privacy and AI governance toolkit — because it does something that no policy document or risk matrix can do alone.
It makes the invisible visible.
It was the OG privacy tool. It's becoming the OG AI governance tool.
And it was invented before any of the laws it now helps you comply with even existed.
Devika Subbaiah is a Senior Manager of Privacy Operations and a practitioner writing at the intersection of privacy law, AI governance, and operational compliance. She writes about what it actually takes to build privacy and AI governance programs that work — not just on paper.
