We make performing data inventories easy
One of the biggest pieces of staying compliant, simplified and done the right way.
Specific data elements collected plus categories of personal data and special categories of data
Connect the personal data dots with your data inventories
You know you need to be compliant with the General Data Protection Regulation (GDPR). But where are you at with the most important step – data inventories?
Make your personal data collection count
There are lots of software and tools out there that are designed to help you with the process. But using them can be tricky if you don’t have guidance or experience. On their own, these tools can fail to identify issues, risks and what requirements you may be missing.
Are you using the software right? Are you asking the right questions? Are you using the information you find to make the right decisions?
You don’t need just another piece of software. You need to identify your risks, conduct your data inventories, and get your privacy plan in place.
Stop worrying about whether you’re doing data inventories the right way
Red Clover Advisors’ focus is making data privacy practices simple and straightforward for clients. We assess, develop, implement, and maintain data privacy strategies for clients that bring results without the substantial expense of hiring in-house.
When it comes to your data inventories, we bring a business-forward approach to the table. Our process distills years of industry experience into operational analysis that makes sense for your business now – and in the future.
Data Inventories
Conducting data inventories means having the software to do it effectively. We partner with the leading privacy management software, OneTrust, to provide software for your initial six-months of the data inventory process. (Already have a vendor that you’re working with? No problem! We’re well versed in data inventory software and can use any system you have in place or have a preference for.)
When you’re designing a privacy program, you need to know what personal data processing activities are taking place in your company. Without that insight, it’s impossible to assess if you’re meeting compliance requirements.
Through our data inventorying process, we track down the information you’ve collected and figured out how it’s stored and what it’s being used to establish your data flow. We don't just look at the “what” of personal data – we look at the “why,” “how,” “where,” “when,” and “who” involved. That means:
Look at the big picture
You’ll also end up with a better understanding of key issues that your business faces.
What data do you need to be collecting in the first place? Collecting and storing data that isn’t being used poses a risk to all companies. We’ll show you information that you might not need to be collecting.
Are we going about collecting data in the best way possible? Data inventories give you the opportunity to review what you're doing and make process improvements. Our business experience means we’ll give you valuable suggestions on how to make it happen.
What does the long-term plan look like? Data inventories aren’t a one-time thing. Businesses shift over time. New services and products are added. Your strategies evolve. Vendors change. You need to know all the ways your company is collecting data throughout all of this – and that you’re continuing to stay compliant.
Our data inventories incorporate Article 30 reports when needed, including all of your third-party vendors and their systems.
FAQ
What are data inventories?
Data inventories are also known as data mapping, records of processing activities, or Article 30 report. All of these terms refer to generally the same thing – the personal data you collect, why you collect it, how you store it, where it goes (and who it goes to), and how you record it.
Data inventories are crucial for companies to understand the data they collect. With well-executed data inventories, you can build effective privacy notices and strong policies to support your activities.
When you conduct data inventories, you do more than just map out the data you collect and put it into a spreadsheet. With that information, you get a big-picture view of your data collection activities.
From there, you’ll be able to assess whether or not you need to be collecting the data. With GDPR, collecting too much data or not using the data you have can pose a risk. GDPR requires companies to follow data minimization principles. Reviewing your data will give you insight into whether you’re collecting too much or too little information.
Am I legally required to have data inventories?
As a general rule, no, there is no U.S. federal law that requires you to complete data inventories. However, to comply with GDPR, companies have to produce records of processing activity under Article 30 – i.e., data inventories.
Legalities aside, though, it’s becoming the industry standard to perform one. It’s next-to-impossible to meet obligations for privacy notices and individual rights requirements under CCPA without one.
What are data inventories? What kind of information do I need to collect in data inventories?
Data inventories can seem like a pretty broad task to take on. After all, what you find can shape all areas of your business. But when you take a bird’s eye view of data inventorying, the process can actually be pretty manageable, especially if you treat it like an ongoing process and not just a one-and-doner.
As always, checklists make any job more palatable. Here’s a general one for data inventories under GDPR requirements. The minimum content of data inventories needs to include the following:
- Name and contact information of controllers and processors
- For controllers:
- Purposes of processes
- Categories of data subjects
- Personal data
- Recipients
- Retention periods
- For processors
- Name and contact details for each controller
- Categories of the processing carried out on behalf of each controller
- For controllers:
- General description of technical and organizational security measures
- Transfers of personal data to third countries (when applicable) that include:
- Names of countries or international organizations
- Documentation of suitable safeguards if the transfer is based on legitimate interests
Looking for a more detailed guide? We have a useful template to download here. Or contact us to discuss how you can create a custom approach to data inventories.
You said I should collect the minimum amount of data. Why is that?
Collect what you use and use what you collect. That’s the premise of minimum data collection. While this is a core principle of GDPR, it’s also a best practice for businesses designing a strong privacy policy. When you collect the minimum amount of information necessary, you minimize your risks.
We work with several vendors. Does this affect them?
Absolutely. 100%. Yes.
Third-party vendors provide essential services for businesses, helping them expand their services and make the most out of their budgets. However, they can be a weak link in your data security if they don’t take the necessary steps for security personal information for their clients.
When you conduct data inventories, you assess all aspects of how your customers’ data is handled. That includes looking at your third-party vendors – both existing and potential ones – and assessing them. This is critical for offering your customers true data protection.
You need to ask the tough questions like, “are they taking the necessary steps to maintain compliance with privacy laws?” If not, now is the time to reconsider if they’re the best fit for your business needs.
One of the benefits of data inventory is that it becomes simple to identify which vendors you need to evaluate, and often winds up leading to a full vendor management process.
Go beyond compliance
Data inventories are mission-critical for your privacy program. They simply can’t be ignored. But by working with experienced privacy professionals, you can be sure you’re doing them right.
Take your company beyond compliance. Reach out to our team at Red Clover Advisors today to start with your free consultation.
