Data Inventory and/or Record of Processing Activities
Under the GDPR, this practice is a formalized requirement known as a record of processing activity, or RoPA. While many data privacy laws do not require a RoPA or do not refer to this document in the same way, establishing a catalog of data processing activities across your organization is crucial for a well-functioning data privacy program.
Data inventories and/or RoPAs document all of the collection, storage, processing, and sharing of personal data that your organization conducts. This document enables organizations to gain visibility and control over their data, thereby ensuring that they can effectively protect personal data and meet their regulatory obligations. It also serves as a tool that can help you identify risks (such as the use of new vendors), plan data strategies, and understand the critical dependencies your data ecosystem relies on.
Less Mature
An organization with a data inventory and recordkeeping process at the lower ends of the maturity spectrum will likely:
- Have not taken any steps to identify and document the personal data they collect and process or do so irregularly and without rigor.
- Lack the ability to say with specificity or certainty what data the organization holds, where it is located, who has access to it, and how it is used.
This can result in difficulties complying with regulatory requirements, responding to data subject requests, and protecting personal data from unauthorized access, disclosure, or misuse.
More Mature
A data inventory and recordkeeping process that has a higher maturity will involve the following:
- Regular reviews and updates of data inventory records to ensure they remain accurate, comprehensive, and up to date.
- The creation and maintenance of a centralized data inventory repository that documents all personal data elements, processing activities, legal basis for processing such data (if applicable), storage locations, data flows, and similar information.
- The definition of data retention policies and procedures to ensure personal data is retained only for as long as necessary.
Important Note
Note that a data inventory can appear to be comprehensive when it, in fact, fails to capture the reality of data processing activities at your organization.
You may be aware of certain data processing activities that you lack clarity on and can take steps to improve your understanding and records of them. However, there may be data processing activities you lack knowledge of entirely and thus won’t know to investigate and record them.
For this reason, thorough and proactive investigation is essential for a comprehensive data inventory as well as training your colleagues on the need to self-report new data processing activities.
Recommended Next Steps
Consider the following activities to increase your data inventory and RoPA maturity:
- Conduct a comprehensive audit to identify all personal data elements, data processing activities, storage locations, and data flows. This could be by way of automated discovery, questionnaires and/or interviews with relevant stakeholders, or a combination of both. The key step is ensuring you get accurate and timely information from those knowledgeable about systems, processes, and business needs.
- Develop a standardized template that can be used to document all personal data elements and their associated processing activities. Ensure there are clear guidelines for documenting and maintaining these records, including the definition of data categories, naming conventions, and metadata standards to ensure that the records are consistent and easily searchable.
- Establish clear guidelines for data retention and disposal, including data retention policies and procedures that are aligned with regulatory requirements.
- Train your colleagues on how to report data processing activities, particularly as you onboard new vendors and suppliers and implement changes in your system, as well as on privacy-by-design and data minimization principles to ensure they don’t collect or process more data than is necessary.
- Regularly review and update data inventory records to ensure they remain accurate and comprehensive.
- Determine who is responsible for maintaining these records, define an appropriate cadence for reviews, and find ways of scheduling updates.