Why Should Organizations Conduct a Data Inventory?

Although a data inventory is not required, you do need a record of processing activities. It’s difficult to meet GDPR Article 30 compliance without a data inventory and map to visually represent how data flows throughout your organization.

A data inventory process focuses on how and why data is collected to ensure critical areas aren’t overlooked. Data maps are visual representations that help organizations understand data movements across borders and within critical aspects of an organization’s data environments.

Data visualizations help companies understand the data they hold and build controls to manage any inherent risk. This information factors into the transparent processing activities disclosures made with your data subjects.

Proactiveness is a primary benefit of the data inventory and mapping process. It demonstrates to regulators that you’re not taking shortcuts to comply with regulations.

If you did miss something, a comprehensive data inventory and map will prove you genuinely take data privacy matters seriously. The process signals to regulators that you are interested in getting it right and are willing to be transparent.

Additionally, it aligns well with the data protection principles outlined in GDPR Article 5. The principles explain that personal data should be accurate and securely processed lawfully, fairly, and transparently to the data subject.

It is the controller’s responsibility to comply with GDPR and demonstrate compliance (Accountability Principle).

Conducting a data inventory is foundational for your privacy program. It can help you better respond to data access requests, improve data governance, and increase business efficiency.

How Does a Data Inventory Support GDPR Article 30 Compliance?

GDPR Article 30 pertains to records of processing activities. It requires organizations to keep records and provide them to the supervisory authority upon request.

Compliance with Article 30 requires you to demonstrate all details of personal information collection, where it’s stored, shared, and used, and who is responsible for those data records. The record of processing activities must be in writing, including electronic form.

Controllers are required to record the following activities:

• The name and contact details of the controller and, where applicable, the joint controller, the controller’s representative, and the data protection officer
• The purposes of the processing
• A description of the categories of data subjects and the categories of personal data
• The categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organizations
• Where applicable, transfers of personal data to a third country of an international organization, including the identification of that third country or international organization, and in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards.
• Where possible, the time limits for deleting the different categories of data
• Where possible, a general description of the technical and organizational security measures is referred to in Article 32(1).

Organizations commonly perform a data inventory exercise to gather an accurate record of processing activities.

Business processes are mapped to understand how personal information is processed, what third parties have access to data, what systems are used, and what controls are in place for those systems.

The goal is to understand and demonstrate that the organization knows how personal data is processed, the third parties involved in processing activities, and the systems and controls that are working or lacking.

GDPR Article 30 compliance also requires the organization to have a legal basis for specific processing activities related to sensitive data. Strictly focusing on the data elements themselves may cause a company to overlook important elements.

As a result, companies have shifted how they observe data existing in their organization. Instead of creating static lists of IT applications, mapping business processes explains the how and why of data processing, making Article 30 reporting easier.

Getting Buy-In From Internal Stakeholders

Building a thorough data inventory process requires effort across the organization. The best person to lead this effort is the person that will create awareness and proactively drive the process forward.

Data privacy doesn’t live with legal, risk management, information security, cybersecurity, or compliance – it needs the cooperation of all departments and the support of senior management to be efficient.

The data inventory champion should communicate internally how GDPR Article 30 compliance is essential to business and your client commitment. Today it’s often required in client contracts. Not to mention, the fines for non-compliance are rather hefty.

Benefits of Data Inventory for Internal Stakeholders

• Information Technology (IT) – Identify storage redundancies, reduce infrastructure complexity, and generate cost savings.
• Information Security – Know what data resides in each system, prioritize protection efforts, focus on the most high-risk or high-value data, establish appropriate access controls, and generate cost savings.
• Operations – Reduce redundancies and risk, improve efficiencies, and save money.
• Procurement – Identify points at which the company shares information with third-party vendors and the sensitivity of the data being shared. Support risk-based vendor management, increase efficiency in contract management, and generate cost savings.

Conducting a Data Inventory

Before the organization conducts a data inventory, have a vision and goal, and stick to that aspiration. What are you trying to achieve?

Depending on your organization’s size, a large amount of data could be processed and stored. To focus and gain momentum, start with the processes and areas dealing with personal data or that create high risk.

First, you need to determine if you will take a systems based approach or a business process based approach for your data inventory.

Some find it easier to give information through a process approach because people think and do their jobs from a process perspective.

The IT/Systems Approach

The systems approach starts with listing all databases, applications, and systems used to process or store data. The systems come first; eventually, the data flows to users or people.

 

The Process Approach

A process approach to data inventory examines all the business processes that contain personal information. For each process, describe the data and systems that might be associated with it. Typically the data will flow appears less complicated using this method.

Many organizations find the process approach better encapsulates all systems than the IT approach. Most likely because it’s common for organizations to lack a complete record of systems, despite their efforts. People often download apps and use web-based applications that go unreported to IT.

No matter the approach, strive to find the right balance between enough granularity to get at the complexity of data flows and understand them in a linear way, but not so granular that you’re getting the same information over and over from multiple processes.

It’s a complex job to determine. But it’s time well spent.

4 Steps to Conduct Your Data Inventory

Step 1: Decide whether you will take an IT/systems or business process approach.

Step 2: Discover what records you already have. Don’t start from scratch; most have documentation about assets and systems within IT or security.

Step 3: Identify the people and the processes/systems you want to cover. Who owns the systems?

Step 4: Consider starting with a pilot project with one business unit to test and validate your methodology and use early deliverables to secure better engagement for the broader project.

Organizations new to this process often start with a data inventory spreadsheet. Information is collected within each process or system area to document how the data flows.

This information creates a data map to visualize who owns the systems, where the data comes from, who the data subjects are, and whether or not the data is encrypted.

Business process mapping can be complex in larger organizations. Using a data mapping tool to visualize the data as it moves provides much-needed clarity compared to a spreadsheet.

Data inventories and visual maps are used together to capture the total picture in an easy, detailed format.

Speaking of the total picture, don’t forget your suppliers and third-party vendors.

Addressing Third Party Vendors

Know which suppliers and third-party vendors are either in the EU or may handle EU personal data. This is especially important for GDPR Article 30 compliance but also for compliance with other data privacy laws.

After you’ve created an inventory of vendors, classify the vendors. Which third parties have access to critical or sensitive information?

Address each vendor with a customized policy and procedure document that includes vendor vetting, ongoing reviews and audits, and end-of-relationship activities.

Although end-of-relationship activities are often overlooked, be sure to include off-boarding, deletion of data, or returning data and how you will attest to that.

As you continue to manage your third-party risk, include data privacy in your onboarding process for new suppliers and contractors.

The onboarding process should include:

• Identifying the types of information they will be handling/processing
• Considering whether or not they have logical or physical access
• Getting an impression of inherent risk and a window into security and privacy practices.

Ensure that issues not up to your standards are remediated before finalizing the relationship.

Ongoing Maintenance of Data Inventory for GDPR Article 30 Compliance

Compliance with Article 30 requires more than checking off a to-do list. A data inventory is a living, breathing document. It needs to be maintained through acquisitions, mergers, and technological changes.

Keeping your data inventory up to date is just as important as building it. Once you’ve established your data inventory, identify tools and methodologies that can maintain and scale the process.

Use the Data Inventory as a Foundation for Ongoing GDPR Compliance Program

GDPR compliance doesn’t end with Article 30. But it’s a great place to start when building an ongoing data privacy compliance program. Once you’ve established this foundation, consider these next steps.

• Identify inherent risk and complete DPIAs as required under Article 35.
  • If you have a sub-processor or vendor contracts, do that due diligence, and ensure vendors uphold the same principles in privacy that your organization holds.
• Train employees continuously on data inventory change management.
• Share processes with cross-functional teams for broader organizational benefit.
• Leverage the data inventory for the next phase in your compliance mission; implement appropriate technical controls.

Test Your Data Inventory Process

After you’ve completed the data inventory, test your process to ensure it works. One way to test your process is by conducting a simulated data breach with team members in their respective roles.

The team will respond to the simulated breach by identifying the data breached, where it resides, and which processes were affected. These requirements will identify whether the data inventory is accurate.

For example, can your team pinpoint every vendor that had access to that data? If not, there is likely a gap in your data inventory process.

 

Why Should You Know Where Data Is?

A centralized data inventory is critical for your organization’s security and privacy compliance. It’s the starting point for understanding what and how data is collected and used across the organization.

Using data inventory and data mapping, you can pinpoint exactly where data is located and stored and draw connections between complicated data flows.

Having an easily accessible inventory enables quick identification of the assets or systems that process an individual’s data and which jurisdictional requirements apply throughout the data lifecycle.

As more data privacy laws are enacted worldwide, understanding your organization’s data inventory and mapping is necessary to meet compliance requirements.

Organizations both big and small should expect to respond to a significant number of consumer requests about their personal data – if you’re not already getting them.

Are You Compliant with CCPA and GDPR DSAR Requirements?

Perhaps the most customer-facing and public compliance requirements for the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are around the rights of the data subject or consumer rights. Also referred to as individual rights.

Both GDPR, CCPA, and other data privacy laws significantly increase the requirements on businesses to comply with individual rights requests. These requests include the rights to:

• Access information
• Ratify or update efforts or incomplete information
• Be erased/forgotten, withdraw consent, and have their data removed
• Restrict processing or limit use and disclosure
• Object to processing
• Data portability

Requirements dictate how organizations address individual rights and related requests. These requests are called Data Subject Access Requests (DSAR).

Most commonly the laws address the type of requests businesses can expect to address and the timeline for which they will need to respond or fulfill the request.

For example, GDPR requires that requests be addressed within one month. CCPA requires requests to be addressed within 45 days – with some exceptions and extensions permitted.

Other laws have similar requirements to GDPR and CCPA.

Meeting these requirements is important because non-compliance can result in fines and angry customers. Furthermore, failure to meet these requirements is a violation of individual rights.

Forrester Research found consumers are likely to exercise their rights around their personal information. 63% reported that they are likely to exercise their right related to GDPR to ask companies to delete their information.

However, if your company is unsure of what information it’s collecting, where it lives, and the processes surrounding data use, responding to DSARs will quickly become a burden.

Before your team is overwhelmed with DSARs, ensure you have an accurate, centralized data inventory.

What Happens When a Data Subject Requests a Copy of Their Data?

GDPR Article 15 grants data subjects the right of access giving individuals a right to obtain confirmation as to whether personal data is being processed about them or to request a copy of that data.

The 5 state privacy laws (California, Colorado, Connecticut, Virginia, and Utah) also include the right of access for consumers.

As mentioned above, along with the right to request a copy of their data, it’s required by law for organizations to respond to the request within a specific number of days.

For example, your organization collects data about customers to enhance the customer experience.

If a customer requests a copy of their data, will you know where to find it? If they ask additional questions about their data, will you be able to answer them?

Now, what would happen if thousands of customers made this request around the same time? Could your IT department handle that volume of requests?

DSARs are just one of the many reasons why your business needs a data inventory.

What Does Data Inventory Have to do with Global Business Transactions?

GDPR Article 46 allows for data transfers to non-EU countries through mechanisms that provide appropriate safeguards.

Appropriate safeguards include Binding Corporate Rules (BCRs), Model Contract Clauses (MCCs), also known as Standard Contractual Clauses (SCCs), and legally binding documents and enforceable instruments between public authorities or bodies.

If you’re about to close a global deal and personal data will need to be transferred out of the EU to the US based on a subsidiary that uses a vendor in Asia to process that data.

Are any measures in place to ensure your team will not overlook specific requirements as the data travels across countries?

International data transfers are a highly discussed topic in data privacy, with many regulations and differing opinions.

Even though it’s not explicitly stated in GDPR, companies are required by Article 30 to produce “records of processing activities” to demonstrate to regulators that the organization is adhering to GDPR.

Implement a data inventory process that focuses on how data is collected and why it is collected to respond to both DSARs and maintain privacy law compliance.

Documenting the Data Lifecycle

The process of documenting this lifecycle is referred to as a data flow analysis or data mapping. Data mapping requires collaboration between those who know where data is at each stage across the enterprise and with third parties.

Data lifecycle stages include collection, storage, usage, transfer, processing, and disposal.

Comply with Data Privacy Law DSAR Requirements

• Ensure understanding of what data you collect and process and where it resides.
• Establish a process to intake individual rights requests (that is easy on the individual) and ensure this process is well-communicated throughout the organization.
• A request may come in from many routes, and the person receiving that request needs to understand that a request is being made.
• Individuals typically won’t understand or use the exact verbiage in the law.
• Validate the individual’s identity.
• Once the request is validated, have a process to review it, evaluate the data referenced, the reasons for processing the data, and any exceptions.
• Have a response process and an appeals process for denied requests.
• Retain documentation throughout the process.

Improve Privacy Compliance with Data Mapping

Any business that collects data needs to ensure its privacy compliance is right.

But if you don’t know the type of data you collect and how it’s shared, processed, and stored, it is hard to know if your organization’s use of data is compliant with privacy rules – let alone have the right answers for audits or individual data subject access requests.

One of the most important steps to designing and building a privacy compliance program is to build a data inventory. Begin by mapping all the personal data processing activities within your organization.

Data Mapping is About Matching Information for Easier Management

Most organizations collect more data than they know what to do with. If your business wants to get more value from the data it collects – and meet privacy compliance – you need to know more about where this information is managed:

• Find all sources of data – Find out every source of data your business has access to – internally and externally – and identify what information is held in each database
• Map the flow of data – Once you know all the different data sources, you can create data flow maps of all the processes and systems the data moves through. Where it starts, all the points it is processed and analyzed, and where it is stored. Multiple versions of similar data are likely stored in multiple locations
• Match similar information – The data mapping process focuses on matching fields in different databases, making it easier to combine this information into a central inventory for better management
• Build and manage a central data inventory – When you have reliable data flow maps and data mapping processes set up, you can migrate and integrate valuable data into a central inventory for better management.

Privacy Compliance Relies on Good Data Management

Data mapping is not a once-a-year process – it needs to be done regularly so your organization’s data inventory records are accurate and up-to-date.

As privacy and data protection regulations expand, organizations need to show how they reduce and manage risk. So it’s important you can find the right information in your data inventory on demand.

For example, risk management and compliance reporting for the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) will rely heavily on a comprehensive data inventory.

Likewise, organizations need fast access to accurate and current personal data they hold to properly answer data subject access requests.

Data Inventory Needs to be a ‘Living Record’

Once your organization’s data processing flows have been recorded and reviewed for risk, you can make better-informed decisions about where to invest resources based on where the highest risk lies.

While the word ‘inventory’ might suggest a static list at a point in time, a data inventory for privacy compliance should be a ‘living record’ of how personal data moves throughout your organization’s systems and business processes – and changes over time.

Automated Data Mapping Streamlines Management and Compliance

There are three main ways you can handle data mapping in your organization:

1. Manual data mapping – have your data professionals create templates and write code for processes to connect and document all data sources to the central data inventory. It can be very hands-on and time-consuming, tying up your data team – and they’ll need excellent coding skills.
2. Semi-automated data mapping – use a tool for data mapping (or ‘schema mapping’) to find and create connections between data sources and target schema at the heart of your central data inventory; then have your data professionals check the work done by the tool and manually adjust or fix it. Potentially resource-intensive, this approach relies on data professionals with solid coding skills.
3. Automated data mapping – use a full automated data mapping platform to do all the heavy lifting, such as integrating, migrating and organizing data in a central inventory. The platform will include tools for people who aren’t data professionals so they can map data and schedule regular updates to capture changes. This approach streamlines multiple processes by automating them, and makes reporting easier, especially for data privacy compliance.

5 Best Practices for Building a Data Inventory

TrustArc’s privacy experts have helped many businesses get up to speed with data mapping, privacy compliance and managing their data inventory.

Here are the expert’s recommended best practices for building a data inventory:

1. Design a scalable data inventory – Remember all data inventories need to be updated regularly, so designing a scalable and repeatable process up front can save time and cost later
2. Train data management subject matter experts – Even if your organization takes the full-automated approach to data mapping and inventory management, it is important to train team members so they understand any compliance requirements driving the data inventory, and what to expect from the process
3. Launch a pilot program – Start small with one functional area or region so your organization can learn from a more controllable experience, learn ways to improve data management and build on that knowledge and experience to expand into other parts of the business
4. Think outside the (server) box – Remember data can flow in a variety of ways and media. Don’t forget to capture records from printed copies of documents, video files, tape recordings and other non-electronic formats
5. Track all data mapping tasks – A data inventory is a powerful tool that will not only meet some compliance requirements directly, but also help in other important activities such as:

• incident response
• individual rights requests
• assessing risks and triggers for data protection impact assessments
• identifying and solving cross-border data flow issues (including customizing security and privacy protections as needed).

Help your organization with data mapping privacy compliance

TrustArc understands the challenges organizations face with data mapping, including creating and building a data inventory and data flow maps that support privacy compliance.

We’re here to help you solve these challenges by making the work of data management easier.