Since the European Union adopted the General Data Protection Regulation (GDPR) in 2016, companies had to review the way they collect, process, store and share the personal data they collect from customers.
One of the most significant changes that GDPR has popularized with data management programs has been the practice of creating a data inventory. A data inventory is a comprehensive catalog of all data assets owned by a business. It is a single source of truth, detailing crucial information such as:
- How and what data is collected
- Who uses it and why
- Who it is shared with
- where it is stored
- How is it protected
And it’s a compliance obligation under the GDPR.
Now, not all data privacy laws mandate a data inventory, but it is now considered privacy best practice. Even if you are not legally required to complete one, you may still be required to do so.
What do we mean by that? Current U.S. Privacy Laws (CCAC/CPRA, VCDPA, CTDP, PCA, UCPA) do not technically require a data inventory like the GDPR. Nonetheless, they require other privacy measures, such as demonstrating a business purpose for the data and practicing data minimization. And these require… you guessed it! A data inventory.
But a data inventory is much more than a regulatory checklist item. A data inventory will make your privacy program more efficient and agile, and save you time and money in the long run. If you haven’t done a data inventory yet, here are four steps you can take to create a data inventory for your organization:
Creating an accurate, responsive, and compliance-compliant data inventory requires buy-in and accountability from all stakeholders. A multidisciplinary, cross-functional group that manages your data inventory ensures that the resulting processes are not unnecessarily complicated. It also increases the likelihood of widespread adoption.
A data inventory details the complete journey of each data record in your system. You have to watch :
- What type of data you collect
- Why do you need it
- Where and how data enters your system
- Whether your sources and assets comply with the privacy notices
We believe that the best approach to performing data inventory is to take a business process approach. For example, consider email marketing and digital analytics as two different processes. Order placement, order fulfillment, and customer support are often individually documented, as are accounts receivable and accounts payable.
For HR processes, document recruitment separately from onboarding and benefits When you first take a business process approach, you will be able to understand what kind of individuals (in GDPR parlance they are called data subjects which we describe below: customer, prospect, employee, etc.) provided the information, for what purpose, as well as the specific data provided and where it is stored and shared.
You can then use this data to create your internal policies and ensure they comply with your external privacy notice.
Here are the types of people you collect data from, including:
Some companies have special categories such as users, subscribers, travelers, patients, teachers, students, and parents. You can have multiple types of data subjects for a single process. For example, you can have email marketing campaigns for customers and prospects.
When you start a data inventory, you need to identify all the places where your teams pull consumer data, including:
- Web forms on your site
- Preference Centers
- Social Media Entries
- Email Tracking
- Marketing awareness
- Purchase and sale records
- Electronics from other systems (often via API)
- Third-party sources (data brokers, partner companies, public information aggregators, etc.)
Some sources, such as proprietary web forms and preference centers, provide you with data directly from your customer, making them more reliable for important decision-making processes. Does the client provide it to you directly or do you receive it via an API from another system?
Third-party sources, on the other hand, typically contain higher percentages of false, inaccurate, or outdated information.
But remember: Data doesn’t just come from marketing. You need to take a cross-functional, organization-wide view of your data sources.
Marketing activities are strongly related to personal information, but they do not have an exclusive domain on it. A large amount of data passes through your services, and it all needs to be integrated into your data inventory. Here are some examples :
- Human ressources
- Orders and fulfillment
- Accounts Payable and Accounts Receivable
- Company card and employee expenses
In short, a comprehensive, cross-departmental data inventory is essential to making truly informed decisions.
Knowing where your data comes from is essential to ensure that you are:
- Obtain the right type of consent for each user and type of data
Certain users (minors, for example) and categories of sensitive personal information (such as SSN, race, gender, sexual orientation, date of birth, medical history, political/religious affiliation, etc.) benefit from special protections.
- Use of data for stated collection purposes
If you only told them you were collecting their email so you could send them a discount code on their birthday, you can’t send them your monthly newsletter just because you have their email. Knowledge How? ‘Or’ What and Why you have their email address (or phone number, or social ids, or home address) will help you understand what consents you have obtained to use it.
Here’s a tip for you: Most businesses won’t be able to create a data inventory without help. An out-of-the-box privacy software solution usually cannot create an accurate data inventory without expert intervention. A privacy consultant can help you customize and optimize your privacy platform to capture the information you need.
Where your data comes from and what type of data you have is only part of the picture. You need to know what happens once it’s in your hands. Your data will end up in an asset (such as a file, spreadsheet, proprietary application, your laptop, etc.) or a provider (a third-party provider, such as Dropbox, Hubspot, Shopify, Salesforce, LinkedIn , vendor security – there are countless types of vendors.)
You know what you have and where it comes from. Now why do you have it? Your data inventory should go through your data and document why your business needs to process that data.
These discussions can be very nuanced and they are affected by the privacy regulations that you are obligated to follow. For example, under the GDPR, you must document the legal basis of which there are six, which we have listed below. Note that there are only a few exceptions to having to comply with any of these:
- Legitimate interest
- Vital interest
- Legal obligation
- public interest
Having the best data inventory process in the world will not protect you from financial and reputational damage if the data you own is exposed through the wrong policies of your data processors.
Once you have your data inventory in place, you will know which providers you are sharing data with and for which you need to have agreements and assessments. You will want to do business only with vendors who can comply with applicable privacy laws and the privacy standards you have set for your business. If they don’t or can’t answer your questions, you need to renegotiate your terms or find a new supplier.
Data management, privacy and security are a journey, not a destination. It’s a process that must constantly be reviewed and updated to match both actual use cases and the changing privacy landscape.
A data inventory is a snapshot in time: data is constantly changing throughout a lifecycle. Just because your data was used for one purpose last January doesn’t mean October’s activities are the same. It’s critical to work with business owners in marketing, product, HR, and other team members to stay on top of data-related changes. At a minimum, a data inventory should be updated annually to capture business changes.
Knowing where the data is does not mean the data is secure. A good data inventory will show you where your data is at risk of being exposed to both internal errors and external bad actors.
Some tips :
- Limiting internal access to the smallest amount of data necessary for a specific task reduces the risk of a breach.
- Setting expiration dates on stored data will reduce your storage costs and prevent your database from being bloated with bad information.
- Using what you learned from the initial data inventory to create your maintenance processes will reduce your workload and costs in the long run.
This last point – using what you learn from your data inventory – is important on all levels. Your data inventory is an end-to-end opportunity to understand precisely what you are doing with your data and how you can do it better.
Understanding your data with a data inventory is a fundamental part of modern digital privacy for any business. But the basics are fundamental because they work.
Whether or not you have legal compliance obligations, a data inventory is a great way to improve the quality and usability of your dataset. It can also help you build valuable trust with your customers that you go to great lengths to protect their privacy.