Authored by: K Royal, technology columnist for AccDocket.com, and vice president, associate general counsel of privacy, and compliance/privacy officer at CellTrust Corp.
This article is part of the "This Week in Privacy” series, a new column for in-house counsel who need advice in the privacy and cybersecurity sectors. K Royal is the vice president, associate general counsel of privacy, and compliance/privacy officer at CellTrust Corp. To have your legal privacy questions answered, email firstname.lastname@example.org with “This Week in Privacy" in the subject line.
Q: Why do I need a data inventory? No one in my company actually wants to do it and it’s a lot of work.
Data inventory, once completed, can save you a lot of work in the long run. Once you know where your data is, what data you have, who uses it, and where — and how long — it is kept, then you can streamline a lot of decisions, especially if you also have a data classification. The most common classification is simple: public, private, confidential, and highly sensitive.
Sure, you can get by without data inventory, but then you have terabytes of data (including paper, back up tapes, etc.) in places that no one knows about or uses. This is a huge risk for a data breach.
Setting up a data inventory simplifies the determination of privacy impact. For example, when a new project, product, or use for data comes along, you know what is classified in what category, where it is, who uses it, and what it is used for.
This is especially beneficial when considering what is shared externally — whether to an active data processor (a vendor who does something with the personal data for you), or to data storage (which is technically still a processor under EU definitions).
A data inventory is also helpful when implementing a large data project, such as replacing an ERP system. It truly saves time and effort on design.
While it is a lot of work on the front end, it’s useful on the backend as well. There are vendors who can help you set it up, but someone must be attuned to keeping it updated.
To further reading about the data security and privacy practices of six companies with global operations, download the ACC primer on "Leading Practices in Privacy and Data Security: Compliance Programs Across the Globe". Organizations featured in this primer describe practices and approaches for working through the matrix of varying and changing requirements across multiple jurisdictions, as well as integrating policies and practices with systems and security features.