Privacy PowerUp Series #3
Remember playing hide-and-seek as a kid? Building a data inventory is the adult version of that game. Think of the person hiding as an employee or perhaps yourself trying to locate all the hidden data within your organization.
It might not be as much fun, but the goal is crucial—finding all the personal data that your organization is processing. This includes what personal data your organization collects, uses, publishes, modifies, views, accesses, shares, stores, and, in some cases, sells.
Why create a data inventory?
Creating a data inventory has several benefits, including:
Identify data flows: Understand the personal data inflowing and outflowing from your organization.
Classify data: Determine the type, classification, and sensitivity of personal data being processed.
Assess risks: Provide critical data for your IT or InfoSec team to assess risks associated with the processing and potential exposure of these data.
Implement controls: Allow your IT and InfoSec teams to implement necessary measures to secure and protect these data throughout their lifecycle.
Ensure compliance: Comply with privacy laws or regulations such as EU GDPR Article 30 or CCPA Section 1798.130.
Not all regulations require a data inventory, but understanding the types of personal data within your organization necessitates some form of it. Think of it as ensuring no one is left hiding in the game of compliance.
Building a data inventory
Here are the four steps to building a comprehensive data inventory:
Step 1: Stop and plan
Before jumping into data collection, take a moment to plan:
- Define goals: Are you addressing data privacy needs or broader IT/IS requirements?
- Assess current state: What is the current state of maintaining personal data?
- Leverage existing processes: Can existing processes be used, or will new ones need to be created?
- Determine data ownership: Who owns the data, and who is responsible for maintaining it?
- Sustainability: How will the organization keep the data inventory current? Is it sustainable?
Step 2: Build out
Once the planning is complete, start building out the data inventory:
- Identify business activities: Recognize internal and external activities that process personal data.
- Engage data owners and SMEs: Identify and collaborate with data owners or subject matter experts (SMEs).
- Transparency and commitment: Be clear about time commitments and expectations with SMEs and their leadership.
- Collect data:
- Conduct interviews
- Distribute surveys
- Use automated data discovery and scanning tools
- Review and approve: Ensure the completeness of business activities and personal data processing.
- Validate and map: Validate content and develop optional data flow maps to visualize processing activities.
Step 3: Assess risk and remediate
With the data inventory in place, the next step is to assess the risk:
- Risk assessment:
- Identify high-risk business processes.
- Determine if personal data crosses international borders.
- Check for automated scoring or AI use.
- Identify special categories of data (e.g., ethnicity, religion, etc.).
- Assess medical data, including biometrics.
- Sort by risk:
- Sort business processes by high to low risk using a risk-based model.
- Further assess high and medium-risk activities to reduce inherent risk and establish target residual risk.
- Complete PIAs:
- Conduct Privacy Impact Assessments (PIAs) with SMEs and data owners.
- Identify compliance gaps and minimize risk areas.
- Document assessment activities and results for potential requests by authorities.
Step 4: Publish and demonstrate
The final step is to publish your data inventory:
- Collate findings: Compile the inventory so it can be used organization-wide.
- Software tools: For larger data inventories or dynamic data processing, consider leveraging software tools such as TrustArc’s Data Inventory Hub & Risk Profile.
- Maintain accuracy: Ensure SMEs or business activity owners keep the content current and accurate, as it is important to continuously assess and monitor for privacy risks
Build a comprehensive data inventory for your organization
Building a data inventory is essential for ensuring data privacy, assessing risks, and complying with regulations. By following these steps, you can ensure that your organization’s data is well-documented, secure, and compliant.
When it comes to your data and vendor management for compliance, it is important to continuously assess and monitor for privacy risks. Use TrustArc’s Data Inventory Hub to automate data mapping and risk management. Out-of-the-box templates and automated workflows help you continuously govern and generate ROPAs and Assessments to minimize your risk.
Continue mastering the privacy essentials by reviewing all the resources in the Privacy PowerUp series.
Building a Data Inventory Infographic
Access the four steps to building a comprehensive data inventory in an easy to view infographic.
View nowPowerUp Your Privacy
Watch all ten videos in the Privacy PowerUp series – designed to help professionals master the privacy essentials.
Watch nowRead the next article in this series: #4 Understanding Data Subject Rights (Individual Rights) and Their Importance.
Read more from the Privacy PowerUp Series:
- Getting Started in Privacy
- Data Collection, Minimization, Retention, Deletion, and Necessity
- Building a Data Inventory, Mapping, and Records of Processing Activities (ROPA)
- Understanding Data Subject Rights (Individual Rights) and Their Importance
- The Foundations of Privacy Contracting
- Choice and Consent: Key Strategies for Data Privacy
- Managing the Complexities of International Data Transfers and Onward Transfers
- Emerging Technologies in Privacy: AI and Machine Learning for Privacy Professionals
- Privacy Program Management: Buy-in, Governance, and Hierarchy