95,000 complaints have been filed under the GDPR compliance law.

41,502 data breaches have been reported since it went into effect in May 2018.

And a $57 million dollar fine was levied at Google for failing to follow the mandate.

These are shocking numbers that should underline the fact that just because the deadline for GDPR compliance was a little over a year ago, implementation isn’t over yet.

Nor will it probably ever be.

That’s because parts of the GDPR mandate, including data inventories, aren’t projects to be checked off a list. Instead, they’re processes to be maintained and improved over time.

Your business changes over time. And a lot of time – a whole year – has gone by since GDPR went into effect. You likely added new vendors, collection points and processes. 

All that needs to be captured in your data inventory.

And while it’s time for you to dust off GDPR compliance best practices for all areas of your business, one of the most important is an accurate set of data inventories. 

What Is a Data Inventory?

Data inventory. Data mapping. Records of processing activities. Article 30 report.

If any of these sound familiar, then they all do. That’s because they all refer to the same thing, what GDPR calls a data inventory.

Data inventories help companies understand the data they have from start to finish. It includes all the third-parties the company uses and all the systems on which they rely.

It means that you know what specific pieces of information you’ve collected about each person and exactly where each of those pieces of information are stored. 

Data inventories are critical. 

They significantly influence the way you construct your privacy notice and individual rights process and policy. There’s no way to create these documents when you don’t know what data you have, how it’s being used, and where it’s stored. 

And those are the exact items you need to include in your policies.

Data inventories also advise companies to what information they actually need to be collecting. With GDPR in place, it’s a risk to collect and store data you aren’t using. It’s more of a benefit to only ask for the information you need for operating purposes from users.

Reviewing your data will tell you if you’re collecting too much data versus not enough.

Collecting the Minimum Amount of Data

Data minimization – only collecting the minimum amount of information you need – isn’t just a nice suggestion.

In reality, it’s the basic privacy mantra required by GDPR: Collect only what you need for business purposes.  

What’s the thought process here?

The GDPR believes the more data you have, the higher responsibility of your organization to protect it. In other words, more data = increased risk.

And let’s be honest, no business wants increased risk.

This can bleed into other areas of compliance, too. For example, after completing a data inventory, one company identified the sales team was sending emails manually through Outlook. 

At first glance, it’s no big deal. 

But when you consider this prevents any kind of tracking of data – specifically email opt outs – a picture starts to form about why this process is dangerous.

GDPR absolutely requires automatic opt-outs. Outlook, like all other email clients, doesn’t support this functionality.

The solution to this problem was to move to an email service provider (ESP). This software allows you to segment, send more efficiently, and most importantly in this case, provide a GDPR-compliant unsubscribe option. 

The point isn’t just that you’ll be following GDPR by using an ESP to send all your sales, marketing and customer emails. 

It’s that the company pinpointed this massive shortcoming by executing a data inventory.

Being Smart About Vendor Selection

One of the most underrated and perhaps largely unknown values of doing a data inventory is identifying quality and reliable third-party solutions.

If you choose your vendors out of a hat and hope for the best, you’re not alone.

But hope isn’t a good strategy when choosing a third-party solution. 

After all, these will be the people who act as an extension of your team, who might handle sensitive information and important details. 

Data inventories can help you vet your options.

And they can help you choose the ones who will be compliant with privacy laws.

Conclusion: Data Inventories are Critical to Privacy Compliance

So what’s the big deal with data inventories?

Companies need to maintain quality data inventories to comply not just with GDPR. They’re also helpful for pending laws such as CCPA and others coming down the pipeline. 

All the privacy laws primarily have to do with protecting personal data. And you can’t be compliant if you don’t know what data you collect, store, and use. You also have to consider that there are slightly different definitions of what constitutes “personal data” under different privacy laws, e.g. CCPA.

It can get a little overwhelming.

That’s why we created comprehensive resources in everyday language like the GDPR Checklist & Workbook and the CCPA Compliance Guide. They’re designed to help you tackle these privacy updates in the least amount of time, effort and expense.

And if you need a helping hand when it comes to updating existing data inventories or just getting started with data mapping, schedule a time to talk to one of our experts.