Making a personal data inventory and data map in the GDPR era

Let’s get this out of the way right off the bat: the EU’s General Data Protection Regulation does not require website owners to compile a personal data inventory. What the GDPR does require is a “record of processing activities,” which accounts for the ways the data collector and data processor handle the processing of personal data, as well as why those materials are processed. While that’s a large task in itself, it doesn’t cover nearly as much ground as a personal data inventory does.

Required or not, putting together a personal data inventory is an excellent idea for any organization that handles personally identifiable information from consumers. Think of it in terms of a retail business: a store that doesn’t keep careful inventory of its stock runs the risk of losing profits, disappointing customers, and possibly even violating regulations.

Considering that data is often considered a form of currency and is more difficult to track than physical products, it just makes sense to keep a complete account of sensitive information that flows through your business. It will come in especially handy when you start compiling your record of processing activities.

What is personal data?

At the highest level, a personal data inventory is exactly what it sounds like: a record of all personally identifiable data housed within your organization and on your website or its affiliates. Putting that into practice takes a bit of effort, though. It’s likely that your organization has more personal data than you’re aware of.

For starters, you’ll need to be clear on what constitutes personal data. Under the GDPR, that term covers a broad amount of information, including any material that could be used to identify an individual by:

• Name
• Location
• Phone number
• Identification number
• Banking information
• IP address

That’s not all, though. The wide reach of the GDPR means that personal data can also include a number of less obvious online identifiers. These “special categories of personal data” defined by Article 9 of the GDPR include information such as:

• Race or ethnic origin
• Political opinions
• Religious or ethical beliefs
• Trade union membership status
• Health status
• Sexual orientation and history
• Genetic or biometric identity

Obviously, that’s a lot of information to sort through. Looked at from that angle, the need for a comprehensive data inventory should be clear.

What goes into a personal data inventory?

One of the first steps in compiling your inventory should be identifying all of the places where personal data lives within your organization. That includes not just your own website, but also any affiliated URLs or third-party services that may have collected user information on your behalf. This is almost certainly too large a task to tackle by hand—even if you manage to find the time and staff to take it on, there’s a very strong chance that some data will slip through the cracks. This is a situation where it likely pays to invest in an automated tool that can scan your domains for all personally identifiable data.

However you choose to handle your search, there are a number of elements that should be included in any thorough data inventory, including:

• Names or titles of data owners (e.g. “Human resources”)
• Types of data (e.g. “Job applicant data”)
• Where to find the data within your system (e.g. “HR Intranet”)
• Data subjects (e.g. “New job applicants”)
• How the data was collected (e.g. “Online employment submissions”)
• How the data is used (e.g. “Demographic research”)
• How long the data will be stored
• Who has access to this data
• Policies for deleting or preserving the data

What is a data map?

Creating a data map is likewise not required by the GDPR, but is an excellent complement to your data inventory. As you gather all of that personal data, it’s beneficial to sort it into a searchable, easy-to-reference format that allows you to quickly identify and locate specific data points. A well-made data map also allows you to track the ways your organization gathers data and how that data flows once it’s in your system. Great data mapping tools exist, or you can start with a simple spreadsheet that includes the following:

• The source of your data
• Why it’s being collected
• Each person or team in your organization that touches it
• Plans for its deletion or retention once the data has served its purpose

For instance, a simple data map for tracking a data subject who applied for a posted position might note the source as “Online application form,” the reason for collection as “Submitted by subject,” the internal flow as “Human resources, marketing research, department manager,” and the disposal plan as “Retain email address for future employment-related contact, delete all other materials.”

Every organization’s needs and processes are different, of course. It may even make sense for individual departments within your organization to maintain their own inventories and maps—a human resources department has a different set of data priorities than a marketing department, for instance. Establishing the right data inventory template for your needs will likely take some trial and error, but once it’s in place, it should be a great asset for keeping your operation organized, mindful, and working towards GDPR compliance.