Data Inventories: Best Practices & Practical Implementation Tips

An accurate and up-to-date data inventory is the basis of any privacy program. And with the new focus on data under the ISO 27002, we expect to see more organisations generating and relying on data inventories.

What is a Data Inventory?

According to the IAPP’s Glossary, a Data Inventory is:

“Also known as a record of authority, identifies personal data as it moves across various systems and thus how data is shared and organised, and its location. That data is then categorised by subject area, which identifies inconsistent data versions, enabling identification and mitigation of data disparities.” 

In other words, a data inventory identifies and documents what personal data your organisation collects, where you keep it, who has access to it, and how it is stored and protected.

Many privacy laws require data inventories, or something like a data inventory including the GDPR (which requires maintenance of Records of Processing Activities), CCPA, and CPRA.

Other phrases used to describe a ‘data inventory’ are data maps, data flow diagrams, and data registers.

How to Build a Data Inventory

We discussed seven key steps in building a complete data inventory in our earlier blog post about data mapping for privacy management. To summarise:

Step 1: Identify your collection points for personal data.

Step 2: Identify the categories of data you collect.

Step 3: Catalogue where the data is stored.

Step 4: Catalogue the data flows.

Step 5: Document the data’s use (its purpose).

Step 6: Document its lifecycle, including how long the data is retained.

Step 7: Develop detailed maps that document these data flows.

Data Inventories: What Personal Information is Included? 

Personal Information

Of course, the first question before constructing your data inventory is to identify what is personal information.  This may change depending on the jurisdiction, and the definition included in the relevant legislation.

In Australia, the Australian Privacy Act defines personal information as:

“Information or an opinion about an identified individual, or an individual who is reasonably identifiable”. This definition is purposefully vague on exact categories, so it can adapt quickly to changing information-handling practices.

In the EU, the General Data Protection Right (GDPR) defines personal information in a similar way but includes specific references to ‘a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.’

California’s privacy law defines personal information as:

“…information that identifies, relates to, or could reasonably be linked with you or your household.’ The definition includes examples such as  ‘name, social security number, email address, records of products purchased, internet browsing history, geolocation data, fingerprints, and inferences from other personal information that could create a profile about your preferences and characteristics.”

Documenting The Collection of Personal Information

At a minimum, you will want to document all the personal information you collect that is covered by laws relevant to your organisation.

This is most easily done by using categories of personal data as a shorthand to cover the different data elements that might be included in different data sets.  For example, your data inventory might include details about:

• Job candidates
• Current employees
• Former employees
• Clients
• Website visitors
• Suppliers.

Best Practices for Developing a Data Inventory

Your data inventory needs to be complete, accurate, and up-to-date. To achieve this, your organisation should:

1. Create a ‘single source of truth’.

While it’s a good practice to loop key personnel in from each department (to ensure your data inventory is accurate), you don’t want to have multiple records. Instead, you should set up a central database to serve as a single source of truth.

2. Document all data on the data inventory.

Privacy laws are changing and expanding in scope rapidly. This matters in practice because personal information that is not explicitly covered today (such as hair colour) may be contemplated by a specific law tomorrow. So, recording and categorising all the data you collect is a good practice.

3. Routinely review data inventory management to identify gaps and friction.

Compiling a data inventory is not a ‘set and forget’ exercise. Your data inventory will need to be regularly reviewed and updated. In fact, any change in your organisation’s data collection processes should trigger a review of the data inventory.

It’s also important that your data inventory maintenance does not cause unnecessary friction. If it’s ‘too hard’ to update it, then it’s very likely that it will not remain accurate. Someone in your organisation should be accountable for reviewing the processes and reducing friction.

Practical Implementation: How to Find and List Data Accurately

There is a growing list of software solutions designed to help your organisation develop an inventory its data. In our experience, implementing data inventory tech is one of the fastest ways to capture and catalogue your data. However, it’s important to remember that there should be human oversight of data inventory programs to ensure they are accurate and complete.

Some of the programs we’ve seen include:

• BigID
• AWS Glue Data Brew
• OneTrust
• ExterroPageFreezer.

Note: This isn’t a recommendation for any of the above programs. We’re simply highlighting that they exist, and are part of the rapidly developing world of privacy technology,

Develop Your Data Inventory with Privacy 108

Privacy 108’s consultants partner with you to promote privacy compliance while reducing friction. We develop comprehensive data inventories and implement technologies to streamline the process of managing the data you collect. Ask us for more information.