One of the most important steps to design and build a data privacy program is to create an inventory of all of the personal data processing activities within your company. If you don’t know the type of data you collect and how it’s shared, processed and stored, it is difficult to know if you are meeting the privacy requirements that impact your business. Without this information, it is also difficult to know where data resides in order to be able to respond to situations where individuals exercise their personal data rights, for example, data subject access requests (DSAR).
And as privacy and data protection regulations expand, companies need to demonstrate how they reduce and manage risk, the importance of building and maintaining a data inventory is an essential first step. The EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are two examples of regulations which rely heavily on a comprehensive data inventory to support risk management, compliance reporting and responding to individual rights and DSARs.
Additionally, once the data processing flows have been recorded and assessed for risk, the company can make decisions about where to invest resources based upon where the highest risk lies. While the word “inventory” may imply a static list at a point in time, a data inventory for privacy compliance should be a “living record” that reflects how personal data moves throughout the company’s business processes and changes over time.
As you think about your next steps, the privacy experts at TrustArc have identified five top best practice tips for building a data inventory:
- Design – Remember that data inventories will need to be updated on a regular basis – at least annually if not more frequently – so designing a scalable and repeatable process up front can save time and cost later.
- Train – An informed and engaged set of Subject Matter Experts (SME) cannot be overrated. Training individuals on any compliance requirements driving the data inventory and what to expect from the process is critical.
- Pilot – Begin small with one functional area or region and then learn, revise and expand to other areas.
- Think Outside of the (Server) Box – Remember that data can flow in a variety of ways and media. Do not forget to record printed copies of documents, video files, tape recordings and other non-electronic formats.
- Track Tasks – A data inventory is a powerful tool that will not only meet some compliance requirements directly but also functionally assists in other important activities, like: incident response, individual rights requests, assessing risks and triggers for DPIAS, identifying cross-border data flow issues for resolution and customizing security and privacy protections according to need.
To learn more about how to create and build a data inventory and data flow maps that support compliance with the requirements outlined in GDPR, CCPA and more, read this Solutions Brief. For more information about how TrustArc Data Inventory Hub can help you in this process, contact us today.