An accurate and up-to-date data inventory is the basis of any privacy program. And with the new focus on data under the ISO 27002, we expect to see more organisations generating and relying on data inventories.
According to the IAPP’s Glossary, a Data Inventory is:
“Also known as a record of authority, identifies personal data as it moves across various systems and thus how data is shared and organised, and its location. That data is then categorised by subject area, which identifies inconsistent data versions, enabling identification and mitigation of data disparities.”
In other words, a data inventory identifies and documents what personal data your organisation collects, where you keep it, who has access to it, and how it is stored and protected.
Many privacy laws require data inventories, or something like a data inventory including the GDPR (which requires maintenance of Records of Processing Activities), CCPA, and CPRA.
Other phrases used to describe a ‘data inventory’ are data maps, data flow diagrams, and data registers.
We discussed seven key steps in building a complete data inventory in our earlier blog post about data mapping for privacy management. To summarise:
Step 1: Identify your collection points for personal data.
Step 2: Identify the categories of data you collect.
Step 3: Catalogue where the data is stored.
Step 4: Catalogue the data flows.
Step 5: Document the data’s use (its purpose).
Step 6: Document its lifecycle, including how long the data is retained.
Step 7: Develop detailed maps that document these data flows.
Of course, the first question before constructing your data inventory is to identify what is personal information. This may change depending on the jurisdiction, and the definition included in the relevant legislation.
In Australia, the Australian Privacy Act defines personal information as:
“Information or an opinion about an identified individual, or an individual who is reasonably identifiable”. This definition is purposefully vague on exact categories, so it can adapt quickly to changing information-handling practices.
In the EU, the General Data Protection Right (GDPR) defines personal information in a similar way but includes specific references to ‘a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.’
California’s privacy law defines personal information as:
“…information that identifies, relates to, or could reasonably be linked with you or your household.’ The definition includes examples such as ‘name, social security number, email address, records of products purchased, internet browsing history, geolocation data, fingerprints, and inferences from other personal information that could create a profile about your preferences and characteristics.”
At a minimum, you will want to document all the personal information you collect that is covered by laws relevant to your organisation.
This is most easily done by using categories of personal data as a shorthand to cover the different data elements that might be included in different data sets. For example, your data inventory might include details about:
Your data inventory needs to be complete, accurate, and up-to-date. To achieve this, your organisation should:
While it’s a good practice to loop key personnel in from each department (to ensure your data inventory is accurate), you don’t want to have multiple records. Instead, you should set up a central database to serve as a single source of truth.
Privacy laws are changing and expanding in scope rapidly. This matters in practice because personal information that is not explicitly covered today (such as hair colour) may be contemplated by a specific law tomorrow. So, recording and categorising all the data you collect is a good practice.
Compiling a data inventory is not a ‘set and forget’ exercise. Your data inventory will need to be regularly reviewed and updated. In fact, any change in your organisation’s data collection processes should trigger a review of the data inventory.
It’s also important that your data inventory maintenance does not cause unnecessary friction. If it’s ‘too hard’ to update it, then it’s very likely that it will not remain accurate. Someone in your organisation should be accountable for reviewing the processes and reducing friction.
There is a growing list of software solutions designed to help your organisation develop an inventory its data. In our experience, implementing data inventory tech is one of the fastest ways to capture and catalogue your data. However, it’s important to remember that there should be human oversight of data inventory programs to ensure they are accurate and complete.
Some of the programs we’ve seen include:
Note: This isn’t a recommendation for any of the above programs. We’re simply highlighting that they exist, and are part of the rapidly developing world of privacy technology,
Privacy 108’s consultants partner with you to promote privacy compliance while reducing friction. We develop comprehensive data inventories and implement technologies to streamline the process of managing the data you collect. Ask us for more information.
"*" indicates required fields
"*" indicates required fields
Privacy 108 collects your name and email to send you our newsletter. If you do not provide this information, we will be unable to send it to you. We may use third-party service providers (such as email marketing platforms) to distribute our communications. Some providers may store information overseas, including in the United States. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au. You can unsubscribe at any time using the link in our emails or by contacting hello@privacy108.com.au.
