© 2019 SourceMedia. All rights reserved.

A data inventory is key to maintaining data privacy compliance

As organizations across the globe work to comply with the General Data Protection Regulation, leadership within these organizations understands that compliance can often lead to opportunity under the guise of implementing or revising best practices.

Maintaining a data inventory to meet the obligations within Article 30 related to data-processing records is one such issue. While data mapping and inventories are not specifically called for within the language of the article, building an effective GDPR compliance program based on a comprehensive inventory helps to enable an organization’s ability to meet GDPR requirements and to provide a clear vision for ethical data handling that drives value.

Knowledge is power

Organizations obviously rely on data. This reliance encompasses the nature of doing business in the 21st century. For any organization to thrive and get ahead of the competition, data is a key component.

Whether that data is in the form of structured software systems and vast data lakes or unstructured hardcopy documentation, or a blend of both these examples, organizations must have actionable intelligence based on current, accurate data in order to thrive. Throw in regulatory requirements on data subjects’ rights about the storage, processing, usage, and disposal of personal data, and suddenly the vast amount of disparate information becomes potentially unwieldy.

data inventory.jpg
Bunches of coaxial cables sit inside a comms room at an office in London, U.K., on Friday, Oct. 16, 2015. A group of Russian hackers infiltrated the servers of Dow Jones & Co., owner of the Wall Street Journal and several other news publications, and stole information to trade on before it became public, according to four people familiar with the matter. Photographer: Chris Ratcliffe/Bloomberg

On a high level, the GDPR requires that organizations maintain records detailing information such as, but not limited to, the following:

  • Description of the categories of data subjects
  • Categories of personal data
  • Categories of personal data recipients, including third-party and third-country
  • Data retention policies
  • Data security policies

For an organization to be compliant with the GDPR, leadership must understand the types of data it possesses. Leadership must also understand how that data is used and shared and have a clear policy-level enforcement on all the critical aspects surrounding that data.

An effective starting point is to build a comprehensive data inventory and data map that identify all of the necessary criteria. While this effort can seem to be an arduous endeavor, putting a high-level data inventory in place should be one of the first efforts when working toward compliance.

Such an approach can initially help the organization deal with data-subject access requests and can lead to an overall improvement in data quality over time as it continues to evolve. The upside is that such an effort can help establish ethical data governance, and it can yield valuable business insights as well.

Quality is key

Effective business operations and compliance programs put in place for regulatory purposes around data privacy and protection depend on the data itself and, more importantly, the quality of that data. High-quality data can provide businesses with in-depth views into market trends, improve overall business strategies, and spur innovation, which can lead to a stronger and more profitable organization.

Building and maintaining a comprehensive data inventory can enhance overall data quality and help create a path to streamline the compliance efforts, which helps in the effort of reducing risk through the creation of an effective controls framework.

Additionally, identifying potential processes that can be automated creates opportunity for better regulatory reporting in both accuracy and efficiency. Improved accuracy supports improved data security. Clear data maps and inventories can support more effective and proactive security measures that address critical issues, such as which specific business processes the data touches and the related risks of that interaction. Complete data lineage capability is also enabled through data accuracy, allowing for a cohesive approach by audit, security, and compliance groups alike.

Compliance through strategy

As organization leadership works to prepare and implement data retention systems and policies that support efforts to protect data subjects’ rights, it is important to establish a compliance program that meets GDPR and other regulatory requirements and helps to establish the level of transparency that consumers now demand. Creating a data inventory is the key step to begin this effort, and it can provide a true understanding to companies and consumers about how data is collected, stored, and shared.

A recent survey by the International Association of Privacy Professionals notes that more than 50 percent of companies estimate that they are not yet compliant with the GDPR. The first step to doing so is by gaining a true understanding of the current data environment and then establishing a comprehensive data strategy based on that knowledge. Now, not later, is the time for organizations to take full control of their data and data practices.

For reprint and licensing requests for this article, click here.