Privacy World has been talking about the importance of data inventories for years. Why? Because it is next to impossible to build a compliant privacy and data security program without first doing a data inventory. A data inventory will serve as a roadmap to help a company meet various privacy and security compliance milestones. Yet, completing a data inventory is one of the hardest and most daunting parts to building a privacy program. At least it was for Katy when she was in-house as a Global Data Protection Officer. The alternative to proactively creating a data inventory is trying to hastily create one during the middle of an incident response or responding to a regulatory demand, which Katy and Shea have seen numerous times helping clients during a crisis. Indeed, building a data inventory during a time of turmoil is the worst time to confirm a company’s data processing practices, and we want to help you avoid this worst-case scenario as you work to build out your 2023 privacy and data security compliance action plan.
A decent (note: NOT perfect) data inventory can streamline privacy and data security compliance almost immediately. A data inventory will pinpoint at-risk vendor agreements, highlight out-of-date security measures, detail retention practices, validate consent and opt-out methods and identify other high-risk advertising methods, and clarify exactly how a business is using and sharing the personal and sensitive information it collects. As with any daunting project, building a data inventory is easier to tackle if you break it down into digestible steps, so here are 7-steps to kick start your data inventory project:
- Start with one business line. Identify a high-risk business line and start there instead of focusing on an entire global organization and getting overwhelmed out the gate. The marketing department is often a good starting point. Alternatively, a company may identify the business unit that processes the most sensitive personal information in the organization as the first group to investigate.
- Make it personal with collaborative stakeholders. A data inventory is not just a legal or IT project. It is a team project. Using the marketing department as an example, both marketing / business stakeholders and IT professionals with responsibility for maintaining infrastructure relevant to the marketing department should be involved in data inventory workshops. Ask good questions, listen well, and follow up to clarify when you receive vague responses. You will be amazed how much you learn in a conversation. Here are some questions to help get the conversation going:
- Describe for me what personal and sensitive information you handle in this department?
- How do you collect this information?
- How do you share this information with third-party companies and other departments?
- Do you provide and personal and/or sensitive information to vendors?
- Talk to me about the databases you use and how they work.
Importantly, do not assume that workshop attendees will understand foundational privacy concepts, such as the definitions of “personal” or “sensitive” information. Often non-privacy professionals will not understand the scope of the information protected under applicable data protection laws.
- Record what you learn. With the various third-party platforms modern organizations typically use, determining the appropriate format and recording information learned can be overwhelming. However, documenting an appropriate data inventory can be accomplished with a simple, low-cost Excel spreadsheet or with a robust third-party software program. What matters is that the solution works for your organization and is sustainable for your business needs. If the right solution is keeping you from starting, then start with an Excel spreadsheet and notepad and just begin the process. You can always filter the information collected into a third-party program once that decision / purchase has been made.
- Operationalize the data inventory. Even with only one business line complete, you can use the data inventory as a tool to build out a broader privacy and security compliance program. For example, appropriate vendor management is a complex task, and the necessity for clear data processing terms has complicated the problem even more. That said, a data inventory will identify various vendors that process personal and sensitive information on behalf of a business line (like the marketing department), and you can simply pull those contracts to review the sufficiency of the data processing terms. If it is a long-standing vendor, there is a high likelihood that the contract contains zero data processing terms. In that case, the agreement should be considered high-risk in event of a security incident, litigation, or regulatory investigation. But, there is a pathway to address this issue immediately: send the high-risk agreement(s) to the procurement and/or legal transaction teams to either re-negotiate to incorporate data processing terms or, at least, get ahead of the issue before any renewal term is triggered.
- Update privacy notices as you go. Keep a working privacy notice draft and update as you learn new facts and data flows. Instead of reflecting on a privacy notice once a year, update it alongside your data inventory process.
- Update written policies as you build your data inventory instead of waiting until you reach the finish line (that may never come). Each completed data inventory will create a clearer pathway to update (or create) a written information security policy, incident response plan, and other important security policies. Build and edit these as you learn.
- Use the “A” word. Yes, Audit is your friend. If you work with an internal audit team, they can be a great resource to help you validate what you are learning through the data inventory process. For example, if the marketing department data inventory identifies certain processing activities that capture consent and/or opt-out, have the Audit team test how the consent/opt-out is being captured and recorded appropriately. You may be surprised what you learn about consent/opt-out during the reconciliation process. Just because customers are not complaining, does not mean the consent/opt-out process is working as it should. If you do not have an internal audit team, we can help.
There you have it. Starting with that one business line will allow you to move through the next six steps in your data inventory project, and it will feel rewarding to make progress towards a more privacy and security compliant future. If you need help kick-starting the process, we can do that, too.