Skip to main content

What is a personal data inventory (PII inventory)?

A personal data inventory is a list of all the personal data (or PII) your company stores. It should include all the personal information you’ve collected about your customers, employees, and others you work with. A good PII inventory will help you review the types of personal data you collect, where you store it, how long you keep it, and who can access it.

Creating a data inventory will help you identify potential risks to data privacy and security and correct them. It will help you comply with data protection regulations like the GDPR. Most importantly, your data inventory makes it easy for you to check on your data regularly to make sure it is safe.

inventory data

GDPR inventory?

Fun fact: GDPR does not require you to create a personal data inventory. It does, however, require you to keep “a record of processing activities” describing how you handle personal data, as well as why you collect and process it.

But the truth is, most companies have no idea how much personal data they store, making it impossible to accurately describe how they process and protect it. This is where creating a data inventory comes in.

Knowing your data is the foundation of compliance. An up-to-date data inventory will help you keep your policies up-to-date — then keep your practices in line with them. With all your personal data laid out in front of you, it is easy to see where your data protection measures may be lacking or inadequate. Check up on yourself regularly to make sure you are really keeping data private.

You may then decide to make some changes. For example, you may shorten your data retention periods or improve your rules about access control. These corrective actions can reduce the risk of data breaches and other privacy violations.

How to inventory personal data

Here is a basic template to inventory personal data. It includes 5 areas you should focus on for data privacy and compliance:

1. Personal data, categories, and risk levels
– Mark/flag all personal data in your storage
– List the types of personal data you collect
– Assign a risk level to sensitive personal data

Are there categories of personal data that you shouldn’t keep or don’t need to keep?

2. Users and access controls
– Find out who has access to high-risk data
– Note the level of access each person has (e.g., owner/viewer/editor).

Do all of those people still need access? Are they trained to protect the data?

3. Data locations
– List the physical location of the personal data
– Check if data is stored in duplicate or in more than one location

Are those locations secure? Are they set up with encryption, access controls, backups, and strong passwords?

4. Data retention
– Check how long you have had the data
– Flag data you have had for over 2-5 years

Does this agree with your data retention policy?

5. Purpose and legal basis
– Check who the data belongs to
– Note what the personal data is used for

Do you have consent or another legal basis for collecting and keeping all the data?

Want to clean up your emails for sensitive information?

With an analysis scan by DataMapper, you can have all Outlook accounts in your company scanned. You will receive key statistics on all (current and former) employees' emails - including information on which emails, employees and processes generate GDPR risk.

Why is it so hard to inventory data?

For most companies, the challenge is finding the time to inventory data. If you inventory your data manually, it can take hours and hours of valuable time. Even if you do manage to comb through all your storage locations and emails searching for personal data, it will be difficult to be sure if you’ve really found everything.

Data inventory options

You have several options for how to gather all this information for your personal data inventory. The best option for you will depend on the size of your organization and the types of data you process.

1. Conduct a manual inventory
This approach is time-consuming. It’s also hard to do it thoroughly. Especially if you store lots of data in multiple locations like most of us. However, it can be an effective way to gain a comprehensive understanding of your data.

2. Engage a third-party service
Hire someone else to conduct the inventory on your behalf. They will then use specialized tools and expertise to identify and document your personal data. This can be costly, and you must select your service with care to make sure it is reputable and trustworthy.

3. Use data inventory software
Data inventory software scans your systems to identify personal data. It can also tell you the types of data, how old it is, and where you store it. Using software is faster and more efficient than a manual inventory and can be cheaper than hiring a third-party service.

We recommend this last option. However, many data discovery tools are designed for large enterprises. They are expensive and require IT support to set up. This often puts such software out of reach for small and medium businesses.

Get our Newsletter!

In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.

When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.

DataMapper's personal data inventory

DataMapper was created specifically for SMBs and is a great option because of its low cost and simple no-code setup. It is a browser-based data inventory tool that can classify files into 80 different categories with up to 98% accuracy.

You can start using it on your own in minutes without writing a single line of code. Learn more.

Sebastian Allerelli

Founder & COO at Safe Online
Governance, Risk & Compliance Specialist
Follow me on LinkedIn to get tips on GDPR →