Ever since the European Union passed the General Data Protection Regulation (GDPR) in 2016, businesses have had to overhaul the way they collect, process, store, and share the personal data they collect from customers.
One of the biggest changes the GDPR popularized with data management programs has been the practice of building a data inventory. A data inventory is a comprehensive catalog of all the data assets a company holds. It’s a single source of truth, detailing crucial information like:
- How and what data is collected
- Who uses it and why
- Who it is shared with
- Where it’s stored
- How it’s protected
And it’s a compliance obligation under the GDPR.
Now, not all data privacy laws mandate a data inventory, but it’s now considered a privacy best practice. Even if you aren’t legally required to complete one, you may sort of be required to do it.
What do we mean by that? Current US privacy laws (CCPA/CPRA, VCDPA, CTDP, CPA, UCPA) don’t technically require a data inventory quite like GDPR. Still, they do require other privacy measures like demonstrating a business purpose for data and practicing data minimization. And those require…you guessed it! A data inventory.
But a data inventory is much more than an item on a regulatory checklist. A data inventory will make your privacy program more effective and agile—and it will save you time and money in the long run. If you haven’t done a data inventory yet, here are four steps you can take to build a data inventory for your organization:
Creating an accurate data inventory that is responsive and meets compliance obligations requires buy-in from and accountability for all stakeholders. A multidisciplinary, cross-functional group managing your data inventory ensures the resulting processes aren’t unnecessarily complicated. It also increases the likelihood of widespread adoption.
A data inventory details the complete journey that each data record takes through your system. It should look at:
- What type of data you’re collecting
- Why you need it
- Where and how the data is entering your system
- Whether your sources and assets line up with privacy notices
We find the best approach to conducting a data inventory is taking a business process approach. For example, consider email marketing and digital analytics as two different processes. Order placement, order fulfillment, and customer support are often documented individually, as are accounts receivable and accounts payable.
For HR processes, document recruiting separate from onboarding and benefits When taking a business process approach first, you will be able to understand what kind of individual (in GDPR speak, they are called Data Subjects that we describe below: customer, prospect, employee, etc.) provided the information, for what purpose, and also the specific data provided and where it’s stored and shared.
Then you can use this data to create your internal policies and ensure they align with your external privacy notice.
These are the kinds of people you collect data from, including:
Some companies have special categories such as users, subscribers, travelers, patients, teachers, students, and parents. You might have multiple types of data subjects for a single process. For example, you might have email marketing campaigns to customers and prospects.
When starting a data inventory, you need to identify all the places your teams are pulling consumer data from, including:
- Web forms on your site
- Preference centers
- Social media inputs
- Email tracking
- Marketing outreach
- Purchase and sales records
- Electronic from other systems (often via API)
- Third-party sources (data brokers, partner companies, public information aggregators, etc.)
Some sources, like proprietary web forms and preference centers, give you data straight from your customer, making it more reliable for important decision-making processes. Does the customer provide it directly to you, or do you receive it via an API from another system?
Third-party sources, on the other hand, usually have higher percentages of fake, inaccurate, or outdated information.
But remember: data doesn’t just come from marketing. You need to take a cross-functional, organization-wide view of your data sources.
Marketing activities are heavily tied to personal information—but it doesn’t have an exclusive domain over it. A great deal of data moves through your departments, and it should all be incorporated into your data inventory. Some examples include:
- Human Resources
- Vacation/time off
- Orders and fulfillment
- Online orders
- Order fulfillment
- Customer support
- Accounts payable and receivable
- Corporate card and employee expenses
- Credits and collections
- Tax processes
In short, a comprehensive, cross-departmental data inventory is crucial for making truly informed decisions.
Knowing where your data comes from is critical to ensure you are:
- Obtaining the correct type of consent for each user and data type
Certain users (minors, for example) and categories of sensitive personal information (such as SSN, race, gender, sexual orientation, birthdate, medical history, political/religious affiliation, etc.) have special protections.
- Using data for the stated collection purpose
If you only told them you were collecting their email so you could send them a discount code on their birthday, you can’t send them your monthly newsletter just because you have their email. Knowing how and why you’ve got their email address (or phone number, or social handles, or home address) will help you understand what consents you’ve obtained for using it.
Here’s a hot tip for you: most companies will not be able to build a data inventory without some help. An off-the-shelf privacy software solution usually cannot create an accurate data inventory without input from an expert. A privacy consultant can help you customize and optimize your privacy platform to capture the information you need.
Where your data comes from and what kind of data you have is only part of the picture. You need to know what happens to it once it’s in your hands. Your data will end up in an asset (such as a file, spreadsheet, a proprietary application, your laptop, etc.) or with a vendor (a third-party vendor, such as Dropbox, Hubspot, Shopify, Salesforce, LinkedIn, security provider—there are innumerable types of vendors out there.)
You know what you have and where it came from. Now, why do you have it? Your data inventory should walk through your data and document why your business needs to process that data.
These discussions can be highly nuanced, and they are impacted by whichever privacy regulations you are obligated to follow. For example, under GDPR, you need to document the legal basis of which there are six, which we have listed below. Note there are only a few exceptions to needing to comply under one of these:
- Legitimate interest
- Vital interest
- Legal requirement
- Public interest
Having the best data inventory process in the world won’t protect you from financial and reputational harm if the data you own is exposed through the poor policies of your data processors.
Once you have your data inventory in place, you will know which vendors you share data with and which ones you need to have agreements and evaluations for. You will want to do business only with vendors who can comply with applicable privacy laws and the privacy standards you set for your business. If they don’t, or if they can’t, answer your questions, you need to renegotiate your terms or find a new vendor.
Data management, privacy, and security is a journey, not a destination. It’s a process that constantly needs to be reviewed and updated to match both real-world use cases and the changing privacy landscape.
A data inventory is a snapshot in time—data constantly moves through a lifecycle. Just because your data was used for one purpose last January doesn’t mean that October’s activities are the same. It’s essential to work with the business owners in marketing, product, HR, and other team members to keep updated on data-related changes. At a minimum, a data inventory should be updated annually to capture the business changes.
Knowing where the data is doesn’t mean that data is secure. A good data inventory will show you where your data is at risk for exposure from both internal error and external bad actors.
A few tips:
- Limiting access internally to the least amount of data needed for any specific job cuts your risk of a breach.
- Setting expiration dates on stored data will cut your storage costs and keep your database from getting bloated with bad information.
- Using what you learn from the initial data inventory to build your maintenance processes will reduce your workload and cost in the long run.
This last point—using what you learn from your data inventory—is salient across the board. Your data inventory is an end-to-end opportunity to understand precisely what you are doing with your data and how you can do it better.
Understanding your data with a data inventory is a basic, fundamental part of modern digital privacy for any business. But the basics are fundamental because they work.
Whether you have legal compliance obligations or not, a data inventory is a great way to improve the quality and usability of your dataset. It also can help you build valuable trust with your customers that you’re expending maximum effort to protect their privacy.