What is a personal data inventory?
A personal data inventory is a list of all the personal data your company stores. It should include all the personal information you’ve collected about your customers, employees, and others you work with. A good PII inventory will help you review the types of personal data you collect, where you store it, how long you keep it, and who can access it.
Creating a data inventory will help you to ensure responsible processing of personal data, and thus help you to comply with data protection regulations like the GDPR. Most importantly, your data inventory makes it easy for you to check on your data regularly to make sure it is safe.
GDPR and personal data inventory
Fun fact: GDPR does not require you to create a personal data inventory. It does, however, require you to keep “a record of processing activities” describing how you handle personal data, as well as why you collect and process it.
But the truth is, most companies have no idea how much personal data they store, making it impossible to accurately describe how they process and protect it. This is where creating a data inventory comes in.
Knowing your data is the foundation of compliance. An up-to-date data inventory will help you keep your policies up-to-date — then keep your practices in line with them. With all your personal data laid out in front of you, it is easy to see where your data protection measures may be lacking or inadequate. Check up on yourself regularly to make sure you are really keeping data private.
You may then decide to make some changes. For example, you may shorten your data retention periods or improve your rules about access control. These corrective actions can reduce the risk of data breaches and other privacy violations.
How to inventory personal data
Here is a basic template to inventory personal data. It includes 5 areas you should focus on for data privacy and compliance:
1. Personal data, categories, and risk levels
– Mark/flag all personal data in your storage
– List the types of personal data you collect
– Assign a risk level to sensitive personal data
Are there categories of personal data that you shouldn’t keep or don’t need to keep?
2. Users and access controls
– Find out who has access to high-risk data
– Note the level of access each person has (e.g., owner/viewer/editor).
Do all of those people still need access? Are they trained to protect the data?
3. Data locations
– List the physical location of the personal data
– Check if data is stored in duplicate or in more than one location
Are those locations secure? Are they set up with encryption, access controls, backups, and strong passwords?
4. Data retention
– Check how long you have had the data
– Flag data you have had for over 2-5 years
Does this agree with your data retention policy?
5. Purpose and legal basis
– Check who the data belongs to
– Note what the personal data is used for
Do you have consent or another legal basis for collecting and keeping all the data?
Start your GDPR cleanup where it is needed the most
Sensitive data can tends to accumulate in the employees' e-mails. With a GDPR Risk Scan from DataMapper, you get a report that shows any potential GDPR risks in the company's e-mails.
Why is it so hard to inventory data?
For most companies, the challenge is finding the time to inventory data. If you inventory your data manually, it can take hours and hours of valuable time. Even if you do manage to comb through all your storage locations and emails searching for personal data, it will be difficult to be sure if you’ve really found everything.
Data inventory options
You have several options for how to gather all this information for your personal data inventory. The best option for you will depend on the size of your organisation and the types of data you process.
1. Conduct a manual inventory
This approach is time-consuming. It’s also hard to do it thoroughly. Especially if you store lots of data in multiple locations like most of us. However, it can be an effective way to gain a comprehensive understanding of your data.
2. Engage a third-party service
Hire someone else to conduct the inventory on your behalf. They will then use specialised tools and expertise to identify and document your personal data. This can be costly, and you must select your service with care to make sure it is reputable and trustworthy.
3. Use data inventory software
Data inventory software scans your systems to identify personal data. It can also tell you the types of data, how old it is, and where you store it. Using software is faster and more efficient than a manual inventory and can be cheaper than hiring a third-party service.
We recommend this last option. However, many data discovery tools are designed for large enterprises. They are expensive and require IT support to set up. This often puts such software out of reach for small and medium businesses.
Get our Newsletter!
In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.
When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.
The smart way to make an inventory of your personal data
Created specifically for smaller businesses, our DataMapper is a great option for getting an overview of your data due to its low cost and no-coding setup. DataMapper is a Data Discovery tool that runs via your browser. Using artificial intelligence and machine learning algorithms, DataMapper identifies personal data and classifies files into 80 different categories with up to 98% accuracy. It will be much easier and faster to make an inventory of personal data in your company.
Sebastian Allerelli
Founder & COO at Safe Online
Governance, Risk & Compliance Specialist
Follow me on LinkedIn to get tips on GDPR →