A data inventory is the fundamental building block for an effective privacy program. In its simplest form, a data inventory can be thought of as a matrix which documents 1) what personal data is being collected by the organization, 2) how the organization utilizes the personal data when it is in their environment, 3) how the organization protects the personal data and 4) to where, whom and for what purpose the personal data is transferred.

The General Data Protection Regulation (GDPR) Article 30, contains a requirement for organizations to maintain a record of processing activities (ROPA). A ROPA is very similar to a data inventory. A good practice is to build a data inventory in a manner whereby the inventory is useful for data privacy and other parts of the organization, but still meets the requirements of GDPR Article 30. Additionally, regulators have also recently issued guidance that organizations functionally require a data inventory in order to comply with the Security Rule of the Health Information Portability and Accountability Act (HIPAA). In the California Consumer Privacy Act (CCPA), there is no specific requirement to maintain a data inventory, but given the detailed online privacy notice requirements that the CCPA calls for, it is difficult to imagine maintaining compliance with the CCPA and not having a data inventory.

Building a data inventory is not a simple or one-time task, however, when done thoughtfully, it benefits other functional areas outside of data privacy. It is critical that those functional area stakeholders be involved the requirements gathering phase of the data inventory to ensure the data points relevant to that functional area are collected during execution.

For example, prior to GDPR and CCPA, data inventories were often used by legal departments for early case assessment, i.e., to understand the data their organization held in order to more effectively respond to litigation complaints and regulatory actions. A data inventory in this scenario allows the legal department to quickly assess what repositories held potentially responsive information and/or what data should be placed on a legal hold.

This aforementioned example was a "nice to have", but now the in the age of data privacy, data inventories are thought of as a requirement for a functioning data privacy program. Common privacy and security frameworks which organizations rely upon, such as the National Institute of Standards and Technology (NIST) Privacy Framework, detail how organizations should identify and document assets and processes which collect, store or use critical information. Today, typically the data privacy function leads the data inventory exercise, although the legal department, cybersecurity team and IT department can still easily benefit from the output with proper planning.

Consider the following functional areas and how a data inventory can benefit each:

• Data Privacy
  • Privacy notice development
  • Regulatory risk (CCPA, HIPAA, GDPR, etc.)
  • Data flow and mapping
  • Third-party risk management
• Cybersecurity
  • Risk assessments
  • Access management review
  • Table top exercises / vulnerability scanning
• Legal
  • Case cost management
  • Early case assessments
  • Legal discovery and hold optimization
• Data Governance
  • Data scanning and classification
  • Records retention and disposition review
  • Data minimization

Key take away

The data privacy team should include other functional areas when developing the data inventory so those areas can benefit from the investment and support in keeping the inventory up to date.