In the United States companies are not required to inventory the type of data that they maintain, or map where that data flows in (and out) of their organization. That said, knowing the type of data that you collect, where it is being held, with whom it is being shared, and how it is being transferred is a central component of most mature data privacy and data security programs. For example, while the law does not require that companies inventory the data that they collect, federal and state law is being interpreted as requiring that companies use, at a minimum, reasonable and appropriate security to protect certain types of “sensitive” information such as Social Security Numbers. It is difficult for many companies to defend their security practices if they lack confidence as to whether they are collecting sensitive information and, if so, where it is being maintained. As a result, while it is not a legal requirement to conduct a data inventory it is, for many, a de facto step to comply with other legal requirements.
Under the EU Privacy Directive, however, member states were required to impose a requirement on data controllers to keep a register of processing operations, which often functionally amounts to a data inventory.1 As in the United States companies were also required to implement “appropriate technical and organizational measures” to protect personal information.2
The EU’s new General Data Protection Regulation (“GDPR”) does not change the status quo. Most companies are still required to conduct data inventories or rather maintain a record of processing activities.3 This record keeping obligation varies slightly for controllers and processors but both are subject to the law. Data processing records shall for example contain the following information for each processing activity.
- Name and contact for the data controller or processor
- Data Protection Officer, if any
- Purpose of the Processing
- Description of Data Categories and Data Subjects
- Categories of Recipients, including any in non-EU countries
- Data Transfer outside of the EU and documentation of appropriate safeguards
- Data Retention Policy
- General description of technical and organizational measures
The following provides a snapshot of information concerning data maps.
Maintaining a data map was ranked as the number one priority by privacy officers.4
The percentage of companies that identified maintaining a data map as relevant.5
The percentage of companies that have a data map.6
The percentage of companies that have a data map and use it to track the flow of data between systems.7
What you should think about when deciding whether to conduct a data map or a data inventory:
- Which departments within your organization are most likely to have data?
- Who within each department would you need to speak with to find out what data exists?
- Is it more efficient to send the relevant people a questionnaire or to speak with them directly?
- What is the best way to receive information from each person in the organization that collects data so that the information provided can be organized and sorted with information received from others?
- How much time will it take to complete the data map?
What information should you consider including in your data map:
- Does the data relate to individuals that reside in the EU?
- What is the purpose for collecting the data?
- What is the purpose for processing the data?
- What data fields are collected?
- Where is the data stored (g., the building, the server, the logical partition)?
- How is data protected in transit (e., when it is moving)? For example, what, if any, encryption standard is being used?
- How is the data protected at rest (e., while being stored)? For example, what, if any, encryption standard is being used?
- Who has access within the organization to the data?
- Who has access outside of the organization to the data?
- Does the data cross national borders?
- What retention schedule (if any) is applied to the data?