Why the data inventory is the foundation stone of privacy governance

3 min read

Scrabble letters spelling out the word foundation arranged in a pyramid shape on a white background
Scrabble letters spelling out the word foundation arranged in a pyramid shape on a white background

What is it?

UK and EU data protection laws require a ‘record of processing activities’ or ROPA. I tend to call it a data inventory. (Frankly you can call it Fred, it’s the content that is important.)

Even if your relevant privacy law doesn’t require it, it’s still worth doing. It’s probably the only one of the new paperwork requirements of GDPR that was a good idea!


Why is it helpful?

Even when it didn’t exist as a formal requirement, it’s hard to see how you could manage compliance without knowing what personal information you had, what you were doing with it and where it was. In fact, GDPR coming into force made a lot of organisations realise they didn’t really know these things and hadn’t really been managing compliance properly at all!

I believe it’s a foundation stone because so many other compliance efforts are built on it. Once you have set out what you have and what you’re doing with it, it’s easy to see where the gaps are, and what your action points need to be. It helps you meet transparency requirements like privacy notices and assigns responsibility across the organisation for different types of personal information.

It is the starting point for other initiatives. Want to review retention? Start by understanding what retention periods you have or have set, where any gaps are, and assess implementation of your retention schedule against what you said in the inventory.

Want to look at third-party or supplier management? Start by identifying all your third parties, what they do for you, where they hold your data and what paperwork you do or don’t have in place. I would always include a list of third parties and this key information in any data inventory.

Want to assess your transfers? The inventory should include where the personal information is and what transfer mechanisms you are using. This helps you not only to understand what transfers you have but also to manage their compliance.

What does it look like?

So how do you create an inventory? There are templates you can use (including from regulators), there are software tools available (at a price) and many organisations just use a spreadsheet. It doesn't matter, it just has to work for you.

What information does it contain?

GDPR has a list of mandated requirements but, beyond that, include whatever works for you. I have previously added information on whether certain rights do or don’t apply to the data in question, so you can filter the inventory to see what is or is not in scope for a rights request. Many people use the mandated list as their column headings, (particularly when using a spreadsheet), but you can present the information any way you like. Some organisations start by listing systems and then focusing on what data is in each system. Some organise their inventory by product or service, some by department or business function.

Keeping it updated

Once done, the next challenge is keeping it up to date. I recommend including information owners in the inventory as they are the people that know the details for the information, system or product in question, and so can keep it updated. This also helps embed data protection compliance across the organisation.

Getting buy-in

Getting your inventory up and running takes time. It requires co-operation and co-ordination from across the organisation, it’s usually seen as onerous paperwork and it’s hard to get people to prioritise it over the other tasks of their job. So if you’re leading on getting it done you need to sell it as the foundation stone, and as a way to make everyone’s lives easier in the long run. You need to find the benefits for each department or team. For example, those who respond to RFPs and diligence questionnaires are always being asked about what data is where. They usually end up repeatedly asking the same people the same questions and everyone gets cross. Having an up-to-date inventory means anyone can find the information they need at any time.

In summary

The data inventory: legally required (in some jurisdictions), a good idea (in all jurisdictions), time-consuming and no-one’s favourite job, but the foundation of your compliance efforts. Just crack on, you won’t regret it.

Photo credit: Brett Jordan from Unsplash.