Data inventories are also known as data mapping, records of processing activities, or Article 30 report. All of these terms refer to generally the same thing – the personal data you collect, why you collect it, how you store it, where it goes (and who it goes to), and how you record it.
Data inventories are crucial for companies to understand the data they collect. With well-executed data inventories, you can build effective privacy notices and strong policies to support your activities.
When you conduct data inventories, you do more than just map out the data you collect and put it into a spreadsheet. With that information, you get a big-picture view of your data collection activities.
From there, you’ll be able to assess whether or not you need to be collecting the data. With GDPR, collecting too much data or not using the data you have can pose a risk. GDPR requires companies to follow data minimization principles. Reviewing your data will give you insight into whether you’re collecting too much or too little information.
Am I legally required to have data inventories?
As a general rule, no, there is no U.S. federal law that requires you to complete data inventories. However, to comply with GDPR, companies have to produce records of processing activity under Article 30 – i.e., data inventories.
Legalities aside, though, it’s becoming the industry standard to perform one. It’s next-to-impossible to meet obligations for privacy notices and individual rights requirements under CCPA without one.