How to Do an Effective Data Inventory

A Guide to Effective Data Inventory

Data inventories are just good business. 

Companies need to understand their data, where it’s stored, how it’s used, and how it’s shared internally or externally. Not just because you need another project for your IT team (trust us, they have enough projects already). 

Effective data inventories are important because:

  1. They’re critical to compliance. Per the EU’s General Data Protection Regulation (GDPR), companies have to track the data they collect and monitor how that data is used, stored, and shared. For U.S. state laws, even though it’s not specifically written into the law that you must complete a data inventory, it can be next to impossible to stay compliant without one.
  2. They provide a bird’s eye view. Where is your data vulnerable? How is the data being used? What type of sensitive data is collected? What type of data is being collected? Where are you duplicating efforts? What is a legal liability or potential risk? How exposed are you to a data breach? These are all questions with significant business implications, and if you don’t have a data inventory, then you’re setting your team up for major problems down the road.
  3. It’s an important resource. Businesses use the data they collect for many different reasons. But if you can’t definitively understand the state of your data, then you’re not fully utilizing your business’s resources. 

Data inventories are necessary for every business, but the process of carrying them out can seem intimidating. So let’s break it down into more manageable parts. 

What is a data inventory?

A data inventory, also called a data mapping, ultimately documents a record of data processing activities: what personal data you collect, why you collect it, how it’s stored, where it goes, who has access to it, and how you track it over time. 

Data inventories are necessary for companies to understand: 

  • The data they collect, use, store, and share
  • What type of data they’ve collected
  • Who they’ve collected data from (often called data subjects like employees, customers, prospects, applicants, etc.)
  • Whether the data falls into any sensitive categories or is the data collected from children
  • Whether consent is obtained during the process
  • Is the data sold and shared with third parties and what they do with the data

But data inventories do more than document your data activities and stash them in a spreadsheet that you never touch again. With a thorough and effective data inventory, businesses get a big-picture view of their data collection activities and how they can improve efforts regarding risk mitigation, operational efficiency, and consumer trust. 

A word on “data inventory” vs. “data mapping”

While the terms “data inventory” and “data mapping” are often used interchangeably, the reality is that there are nuances that should be considered. 

  • Data inventory: a comprehensive list of an organization’s data assets, along with information about the type of data, the purpose for collecting it, where it is stored, who owns the data, and who has access to it
  • Data mapping: a visual representation of how data flows through an organization’s systems that helps identify bottlenecks and risks for data loss or exposure

Data inventories and legal requirements: the short and sweet version

There are a few different legal requirements related to data inventories. Even if some regulations don’t explicitly require a data inventory, the impact of these laws significantly increase the liability of companies that don’t maintain an adequate data inventory. 

The EU’s GDPR is one regulation that does explicitly require a data inventory. Article 30 of the GDPR mandates that companies “shall maintain a record of processing activities under its responsibility.” These records must include:

  • Who is responsible for your company’s data collection
  • Why you collect personal data
  • What categories of data you collect 
  • Who you collect data from 
  • How you transfer data 
  • Where you store data (it has to be in a GDPR-approved server)
  • How long you keep someone’s personal data 
  • How you provide reasonable security measures to protect the data you collect 

It’s worth noting that even if your business is headquartered in the United States, if you collect data from any EU resident, then the GDPR applies to you. There are no exceptions for small businesses. And if you are found in violation of the GDPR, the resulting fines can be… substantial (just look at Meta). 

But even if you don’t collect data from any EU citizen, many U.S. state laws carry provisions that are difficult to meet without an effective data inventory. Companies that collect personal data from citizens of those states may be subject to impact assessments (aka data privacy audits) under laws like:

  • California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA)
  • Colorado Privacy Act (CPA)
  • Virginia Consumer Data Protection Act (VCDPA)
  • Utah Consumer Privacy Act (UCPA)
  • Connecticut Data Privacy Act (CTDPA)
  • Iowa Consumer Data Protection Act (ICDPA)
  • Texas Data Privacy & Security Act (TDPSA)
  • Montana Consumer Data Privacy Act
  • Tennessee Information Protection Act 
  • Indiana Consumer Data Protection Act
  • Oregon Consumer Privacy Act (passed as of June 2023)
  • Delaware Personal Data Privacy Act (DDPA) passed as of June 2023

So unless your business can afford to be caught with its proverbial pants down, a data inventory isn’t just a “nice to have” resource. It’s a “must-have” risk assessment and mitigation procedure. 

Data inventories and the need for data minimization

Data minimization is required under some US privacy regulations, as well as GDPR, and with new state privacy laws coming into effect every year, it’s safe to assume that more states will adopt this requirement in the future. 

Data minimization is the idea that companies only collect what you need to use (and that you already have a goal in mind for the data you collect—not saving it for a rainy day). The data you process should be adequate, relevant, and limited to preexisting company goals, especially for data considered “sensitive personal data” such as: 

  • Gender
  • Race
  • Mental or physical health data
  • Religious views
  • Citizenship or immigration status data 
  • Genetic or biometric data 
  • Geolocation data

Sensitive data categories may vary between US privacy regulations. For example, CCPA as amended by CPRA, considered social security numbers and financial information to be sensitive data.  

Data minimization is also one of the best ways to build and maintain a manageable data inventory. After all, the more data you collect, the more you have to track. Sticking to the necessary information can make the data inventory process much more manageable. 

What should be included in your data inventory?

Data inventories can seem overwhelming, but the basics can be divided into a few categories of information. 

At a minimum, data inventories should include:

  • What types of data you collect (name, address, phone number, username, password, location, etc.)
  • How you collect data (website cookies, online forms, etc.)
  • Where, how, and how long you store data (Do you store data in the cloud, or on an in-house server? Where is your server located?)
  • How you use data (marketing personalization, analytics, etc.)
  • Name and contact information of controllers and processors
  • Who the data is shared with (third parties like agencies, contractors, vendors, partners)
  • Data subjects (employees, applicants, customers, prospects, etc.)
  • A general description of technical and organizational security measures
  • If (and how) you transfer personal data to other countries or international organizations, as well as documentation proving the transfer is for legitimate purposes

If you need help keeping track of everything, use a data inventory template as a starting point. 

The fundamentals of building a data inventory

An effective data inventory requires a multi-pronged approach. Here are our tips for an effective data inventory. 

Build your inventory at the business-process level

Data inventories should be geared towards delivering a functional, practical perspective of the data you have, and how to better support that functional POV than structuring your inventory around your business processes. 

After all, business processes are what support your growth and profitability. Organizing your data inventory around them makes it easier to see how data flows through your organization, how and why it’s collected, who gets it, and more. 

What’s more, when you look at a whole system, it can be hard to get the entire picture to come into focus. But when you zoom in to view processes, you get a much clearer picture of the hows and whys of data collection and use. 

Business processes to pay attention to

Business processes vary by company, but common breakdowns include starting at a functional level and then looking at the processes within each. See below for a few examples: 

  • Marketing (email marketing, digital analytics, digital advertising)
  • Accounting (accounts payable and employee reimbursements)
  • Operations (sales orders and shipping)
  • Human resources (recruiting, onboarding, benefits, performance management)
  • Consumer service (chat, inbound support requests)
  • Information technology (employee help tickets, fraud prevention)

Use a cross-functional team

Remember: no one team is not the only party responsible for your data inventory. 

Most likely, your IT team is one of many departments with consumer or employee data knowledge. Effective data inventorying requires a cross-functional team across IT, marketing, customer service, HR, and operations teams. Data privacy is a group activity, not a one-person job. 

Does a cross-functional team sound difficult to get off the ground? Start with scoping sessions where you identify the left-right limits of your data inventory. 

  • Who are the data subjects in scope? 
  • What business processes or functions need to be documented?
  • What are the assets and systems in place?

Once you’ve lined out this information, you’ll be better able to determine how you’re moving forward, what tools you’ll need to leverage, your timeline, and what support you need to complete the project. 

Make sure your data inventory informs your privacy policy and privacy notice

Data inventories don’t exist in a vacuum. They’re intertwined with your company’s internal privacy policy and external privacy notice

  • Internally, your privacy policy should reflect what and how data is captured, used, and stored and explain the rules for how your company will process it
  • Externally, your privacy notice should be kept up to date with your data inventory so it always reflects your most current data collection activities (in clear, user-friendly language, of course)     

Build the solution that works for you

There are plenty of cookie-cutter data inventory templates and software programs online. These resources can be a great place to start, but they shouldn’t be your final data inventory. 

Each business is unique, and using these off-the-shelf templates without customization can increase your company’s liability. Your data inventory must work in conjunction with how your business operates, and because of that, you may need to tailor your data inventory processes. 

For example, many businesses rely on Excel to manually manage their data inventory—and there’s nothing wrong with that if that process best suits your business operations. Other companies may benefit from a fully automated process driven by data inventory software. And another option is the middle of the road: part manual (think interviews or questionnaires) and part automated. 

Instead, ensure your data inventory reflects your company’s data collection activities, legal regulations, and best privacy practices. 

Update your data inventory regularly

Business practices change, and new data privacy laws are enacted yearly. Instead of a “set it and forget it” mentality, make time each year to review and update your data inventory and privacy policy. This practice sets your team up for success, making it much easier to stay compliant year after year.  

But remember: privacy isn’t static, nor is it one-size-fits-all. Anytime you make a significant shift in your company, whether introducing a new product line, launching a new marketing initiative, or expanding into a new region, consider updating your inventory. Depending on how fast your company goes through changes, you may find that a twice-yearly model works well for your needs. 

Assess your vendor management needs

Your data inventory is an opportunity to take stock of your vendors and the data that is exchanged with them. That being said, depending on the scope of your vendor relationships, you may need a separate vendor management strategy—but a data inventory is a smart place to begin. 

As part of your data inventory process, make sure to account for: 

  • All the vendors that have access to data within your system
  • Subprocessors, i.e., your vendor’s vendors, that may have access to your data
  • Whether third-party vendors meet your privacy and security standards
  • Whether any vendors pose risks to your data
  • What third-party vendors are doing with your data

Need a more in-depth vendor management strategy? Check out our Vendor Management Guide to create a process for your business. 

Grab our free data inventory template

A great place to get started on your data inventory journey is by using our free data inventory template.

When in doubt, bring in an expert

Data inventories do not have to be an arduous process, and you don’t have to do it alone. Third-party experts can take the guesswork out of data inventory and help you build a simple, effective plan that works for your business’s unique needs. 

At Red Clover Advisors, we combine data privacy compliance with practical strategies to build effective, sustainable data inventories. Give us a call today to get started.