TrustArc is excited to announce that we have expanded our award-winning privacy platform with enhanced data inventory and mapping capabilities to operationalize global compliance and risk management. Data Inventory Hub, a module of the Trustarc platform, revolutionizes the process for creating and managing a centralized data inventory and data flow maps. The solution helps companies understand how customer and employee data is used and where it resides within the business ecosystem so they can manage privacy and compliance risks for the EU General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Brazil LGPD, and other global requirements.
Both GDPR and CCPA requirements compel businesses to rely on a comprehensive data inventory to support risk management, compliance reporting, and data subject access requests (DSAR). A recent IAPP / TrustArc Survey found that the top two planned privacy technology purchases are for data inventory & mapping and data discovery tools – highlighting the growing need for these capabilities.
Data Inventory Hub is a module of the TrustArc Platform and combines privacy expertise developed over thousands of customer engagements with proven technology and integrations with market-leading data discovery tools to provide a streamlined, easy-to-use solution. The solution enables companies to easily identify and inventory data usage, detect and assess high-risk processing, support DSAR / consumer rights requests, generate compliance reports, maintain audit trails, and much more.
Data Inventory Hub Streamlines Core Privacy Management Functions
- Comprehensive Data Inventory: Build and manage a centralized and detailed data inventory of IT systems, third parties (vendors) and company affiliates across the organization.
- Automated Data Flow Mapping: Automatically generate data flow maps that visually identify where employee and customer data resides and how that data moves through the business ecosystem.
- Actionable Dashboard: Access to customizable dashboard with privacy KPIs, regulatory news feed and Privacy Profile regulatory analysis system.
- Compliance Reporting: Create GDPR Article 30 reports and documentation to support CCPA look back and other internal compliance requirements.
- Collaboration Support: Facilitate collaboration with teams across the company, ensuring that cross-departmental knowledge is incorporated into data inventories.
- Integrations: Integrate with internal and external systems to streamline metadata input and use of existing data inventory information to power privacy program processes and controls.
Data Inventory Hub Integrates with Leading Data Discovery Solutions
Data Inventory Hub can integrate with other IT systems, including data discovery solutions, to streamline metadata input and use of existing data inventory information to power privacy program processes and controls.
“When enterprises automate discovery of sensitive information through AI and machine learning—and map data to subjects for risk visibility and planning—they can operationalize the technical capabilities required for comprehensive data privacy governance,” said Jitesh Ghai, Senior Vice President and General Manager, Data Quality, Security and Governance at Informatica. “At Informatica, we enable organizations to respond to data subject requirements, at scale. Our partnership with TrustArc means that our shared customers are able to use Informatica’s Secure@Source to accelerate populating their TrustArc Data Inventory Hub content to meet today’s complex privacy challenges.”
“There’s often a disconnect between the privacy policies and contracts that have been agreed to on paper and what’s happening with the actual data,” said Kristina Bergman, CEO of Integris Software. “Operationalizing GDPR and CCPA, such that compliance is automated, requires applying privacy processes and controls to a diverse set of data repositories. By taking advantage of the TrustArc Data Inventory Hub, Integris Software enables data inventory in an accurate, continuous and scalable way, ensuring that TrustArc knows exactly what’s in your dataset, not just what the metadata implies.”
“The first step in building a compliant privacy program is to develop a comprehensive inventory of data use. We’re excited to be working with TrustArc to help customers tackle this complex challenge — wedding Sherpa’s powerful data discovery to TrustArc’s data inventory and mapping capabilities,.” said – Kevin Ogrodnik, CEO of, Sherpa Software.
Data Inventory Hub is part of the TrustArc Platform which provides capabilities to manage data inventory and mapping, privacy compliance assessments, vendor risk, cookie consent, DSAR / consumer rights requests and much more. For more information, visit: TrustArc Data Inventory Hub
One of the most important steps to design and build a data privacy program is to create an inventory of all of the personal data processing activities within your company. If you don’t know the type of data you collect and how it’s shared, processed and stored, it is difficult to know if you are meeting the privacy requirements that impact your business. Without this information, it is also difficult to know where data resides in order to be able to respond to situations where individuals exercise their personal data rights, for example, data subject access requests (DSAR).
And as privacy and data protection regulations expand, companies need to demonstrate how they reduce and manage risk, the importance of building and maintaining a data inventory is an essential first step. The EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are two examples of regulations which rely heavily on a comprehensive data inventory to support risk management, compliance reporting and responding to individual rights and DSARs.
Additionally, once the data processing flows have been recorded and assessed for risk, the company can make decisions about where to invest resources based upon where the highest risk lies. While the word “inventory” may imply a static list at a point in time, a data inventory for privacy compliance should be a “living record” that reflects how personal data moves throughout the company’s business processes and changes over time.
As you think about your next steps, the privacy experts at TrustArc have identified five top best practice tips for building a data inventory:
- Design – Remember that data inventories will need to be updated on a regular basis – at least annually if not more frequently – so designing a scalable and repeatable process up front can save time and cost later.
- Train – An informed and engaged set of Subject Matter Experts (SME) cannot be overrated. Training individuals on any compliance requirements driving the data inventory and what to expect from the process is critical.
- Pilot – Begin small with one functional area or region and then learn, revise and expand to other areas.
- Think Outside of the (Server) Box – Remember that data can flow in a variety of ways and media. Do not forget to record printed copies of documents, video files, tape recordings and other non-electronic formats.
- Track Tasks – A data inventory is a powerful tool that will not only meet some compliance requirements directly but also functionally assists in other important activities, like: incident response, individual rights requests, assessing risks and triggers for DPIAS, identifying cross-border data flow issues for resolution and customizing security and privacy protections according to need.
To learn more about how to create and build a data inventory and data flow maps that support compliance with the requirements outlined in GDPR, CCPA and more, read this Solutions Brief. For more information about how TrustArc Data Inventory Hub can help you in this process, contact us today.
In partnership with the IAPP, TrustArc recently completed a Survey on Privacy Program Metrics, which looked to establish some baseline metrics by which privacy programs around the world can benchmark themselves. The survey contained 27 questions, including demographic questions, and a total of 496 people took the survey.
Some sample questions we set out to answer with the survey were: How many business processes are organizations mapping? How many reports are they creating in order to comply with Article 30 of the EU’s General Data Protection Regulation? How many privacy or data protection impact assessments are necessary? How many incidents rise to the level of breach reporting? Are people being overwhelmed by subject access requests?
The largest group of respondents works in the U.S. (39 percent), followed by the European Union, excluding the U.K. (32 percent), the U.K. (12 percent), and Canada (8 percent). Respondents were evenly distributed throughout the range of company sizes, with organizations that employ 25,001 people or more representing 25 percent of survey respondents, followed next by organizations that employ 1-250 people (23 percent).
In this 4 part blog post series we will share highlights on the following key takeaways from the report:
- Data inventory is becoming a standard privacy management practice
- DPIAs are the most common type of privacy assessments
- Individual rights / data subject access rights (DSAR) requests impacting most organizations
- Data breach notification requirements impacting larger companies
Key Takeaway #1: Data inventories are becoming a standard privacy management practice crucial to privacy compliance
One of the most important steps to design and build a data privacy program is to create an inventory of all of the business processes within a company. If a company does not know the type of data they collect and how it’s shared, processed and stored; or the data inflows and outflows, it is difficult t o know if they meet the requirements of the privacy frameworks that impact their business. It is also difficult to know where data resides in order to be able to efficiently respond to data subject access requests.
As privacy regulations become broader in scope, requiring companies to demonstrate how they reduce and manage risk, the importance of building and maintaining a data inventory is increasing. The EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are two examples of regulations which rely heavily on a comprehensive data inventory to support risk management, compliance reporting and responding to individual rights and data subject access rights requests.
Our survey results showed that 83% of respondents have created a data inventory of their business processing activities, which is a significant increase from the 43% of respondents who reported engaging in routine inventory and mapping exercises two years ago. We also found that 20% of respondents are using specialized data inventory and mapping software, which is up from 10% two years ago.
TrustArc Data Flow Manager
Data Flow Manager, part of the TrustArc Privacy Platform, is a dedicated privacy data mapping system which can help build and manage a data inventory, data flow maps, and compliance reporting such as GDPR Article 30.
Data Flow Manager is based on the business process approach which TrustArc recommends based on extensive experience developing and building GDPR and CCPA compliance programs for companies of all sizes around the world.
Data Flow Manager provides a three-step wizard driven workflow which guides users through the process of entering all of the information required to build a business process record. There is also an option to bulk upload information from an existing data inventory.
Data Flow Manager also offers the TrustArc Intelligence Engine which automatically analyzes a company’s privacy risk based on GDPR high-risk principles. The automation can save up to 75% of the time it would take to analyze the risk manually and is integrated with TrustArc Assessment Manager which provides automation for managing DPIAs, PIAs, and other privacy risk assessments.
Data Flow Manager also provides a streamlined way to generate visual representations of data throughout the lifecycle.
If you would like to learn more about Data Flow Manager, contact us!
To read the full report, download it here.
Now that the GDPR has been in effect for a few months, it is a good time to evaluate your processes and procedures put in place prior to the deadline. Although May 25th has passed, companies still need to be compliant every day after. A fundamental key to staying compliant is introducing a regular review process.
As a reminder, Article 30 requires companies to produce “records of processing activities”, which will allow regulators to see that companies are adhering to the GDPR. With this goal in mind, the records should show why and how the data is being processed.
A data inventory process that focuses on how data is collected and why it is collected will help you adhere to GDPR requirements. Strictly focusing on the data elements themselves may cause a company to overlook important elements. For example, if an online clothing retailer collected a customer’s national identification number, asking why they need this information would likely tell the retailer it is not necessary to collect that information. Having a process in place will help your teams to keep these things in mind.
Having up-to-date business process information will be key to meeting Article 30 compliance reporting requirements because the company must produce the reports upon request from a Data Supervisory Authority. Maintaining up-to-date and accurate information on your organization’s processing will also help to demonstrate accountability that the processing activities are compliant with GDPR. Using an technology solution can help streamline the process of keeping records of business processes up-to-date and can help produce on demand reporting.
Meeting Article 30 requirements may require some companies to shift the way they approach looking at how data exists in their organization. Instead of creating static lists of IT applications, mapping business processes can help explain the “how and why” of a company’s data processing, thereby making Article 30 reporting easier. Recording information necessary for an Article 30 report while building visual maps of how the data moves throughout the organization is an efficient way to keep track of a company’s data flows and better address risk.
Test Your Process
After developing a new process, test that process to ensure it is working. A great way to test your process is by conducting a simulated data breach, with each team member running through his or her role. To respond to the simulated breach, the team will have to identify the data that was breached, which will require finding where it was residing and which processes were affected. These requirements will force the team to see whether information is being kept up-to-date. For example, would the team be able to identify every vendor that had access to that data?
Many companies find processes that use a particular vendor that may not have been documented. Or, even if processes have been documented properly, a company may realize it requires a more granular level of detail. These simulations should be conducted with a regular cadence.
TrustArc Data Flow Manager can streamline the process, saving time, and TrustArc privacy experts can help you develop a process to maintain compliance. To learn about our unique combination of privacy expertise and purpose-built technology, schedule a demo.
31 January 2017
By Hilary Wandall
General Counsel & Chief Data Governance Officer, TRUSTe
Trying to solve a problem, determine the optimal course of action or make a critical decision in the absence of meaningful data not only is frustrating – it can yield undesirable outcomes. It’s like driving without a map or hiking without a compass, let alone precise GPS. Or, like trying to communicate with a friend, whose last name you don’t remember how to spell, without a phone number, email address or Twitter handle.
In recent years, many business leaders have realized that connected devices, systems and sensors are generating more and more data that can be invaluable to making better business decisions. Yet, they still are deciphering how best to leverage all of the data to drive better business decisions. With impending compliance obligations under the GDPR, they may forfeit those data opportunities if they don’t implement solutions that enable ongoing authorized use of those data.
Last month, I blogged that privacy leaders can be business enablers by supporting the business in maximizing net data value in two key ways: (1) partnering with other data leaders in the organization to establish an integrated approach to data governance that enables data benefit and risks to be evaluated in a holistic way, and (2) driving consistent evaluation of the value and costs associated with the acquisition, storage, use and re-use of data.
This month, Mike Hintze and Gary LaFever published a white paper, Meeting Upcoming GDPR Requirements While Maximizing the Full Value of Data Analytics in which they tackle the new frontier of “data protection by default” under Article 25 of the GDPR. The concept of data protection by default permeates the regulation and expands upon traditional notions of data minimization or minimum necessary data to prescribe – subject to fines up to 4% of global revenue – implementation of technical and organizational mechanisms for ensuring that only the specific personal data necessary for each specific processing purpose – whether collection, scope of use, length of storage, or accessibility – actually are processed. Hintze and LaFever present a compelling case for companies to proactively implement a robust technical approach to the GDPR’s data protection by default requirements in order to both maximize data value and minimize compliance risk and liability.
As privacy professionals, we spend countless hours with business teams identifying and classifying data elements, determining the processing purposes and the legal basis for any proposed processing, evaluating data retention periods and proposed data transfers. We create data inventories and data flow maps in order to determine whether data minimization, proportionality and onward transfer requirements are met. We are startled when the hours fly by and our analyses are ongoing, and we recognize that the only way we can support goals like maximizing net data value is to rely on technology to scale our work, make it more efficient and ultimately, more effective. With GDPR’s data protection by default requirements in just 15 months, we can no longer put off plans to implement new technology to help us comply.
Fortunately, Hintze and LaFever present solutions based on a concept of “controlled linkability” that refines data so that it can be used for a range of purposes while preserving privacy and protecting the data from unauthorized processing. Controlled linkability thus facilitates extraction of the full value of data, enabling both GDPR and other regulatory compliance as well broad data utilization. In order for businesses to preserve and enhance the value of their data beyond the next 15 months, however, the time to plan for effective implementation of these technology solutions is NOW.
Since so many businesses rely on big data analytics, as increasingly artificial intelligence, to fuel innovation and growth, it has become essential to know how to ensure compliance in a way that allows your data assets to be utilized. Hintze and LaFever are sharing about their approach today in an IAPP webinar on “Unlocking Big Data Value Under the GDPR” featuring Gwendal Le Grand, the Director of Technology and Innovation of La Commission Nationale de l’Informatique et des Libertés (CNIL). You can learn more at www.anonos.com/bigprivacy.