the basics of data privacy

Chapter 1
Data Inventory
For businesses, governments, and pretty much every type of organization, data is everywhere. The size of the digital universe continues to grow—and more organizations are understanding the importance of keeping track of the data they store, where it lives, who has access to it, and who it’s shared with.

What is a Data Map or Data Inventory?

A data inventory (sometimes referred to as a data map or data mapping), is a comprehensive catalog of data assets held by an organization. A well-maintained data inventory includes up-to-date and detailed information regarding the data, as well as the source of the data within the organization. A data inventory must contain not only the details regarding data, but also explain its use in conjunction with other data. Other elements of a data inventory could include:

  • Information about data types (such as personally identifying information, health data, financial data, or other types of sensitive data)
  • How the data was obtained (from a transaction, consumer opt-in, partner or vendor data, etc.)
  • How the data is used, meaning its purpose to the business
  • Who has access to the data
  • Data retention or disposition requirements (although these are often part of data retention policies and procedures)

Learn How to Build a Defensible Data Inventory for Your Organization

How Are Data Inventories Used?

An up-to-date data inventory allows organizations to operate more efficiently, improve the accuracy of their reporting, mitigate risk, and meet privacy and compliance obligations by identifying where data lives in the organization. Privacy regulations such as the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and the EU’s General Data Protection Regulation (GDPR) provide additional rights to consumers over the collection, sharing and usage of their personal data--as do more recently passed laws like those in Virginia, Colorado, Utah, and other states.

To comply with these regulations, organizations must be able to identify individuals’ data, provide, remediate, or delete it on-demand, and vouch for third part vendors’ ability to do the same. A data inventory (or map) is critical to accomplishing that. A data inventory is, in practical terms, the foundation upon which all of an organization's privacy compliance program rests.

Stay Up to Date with Changing Privacy Laws across the United States

Why Is It Important to Have a Data Inventory?

Data lives across all areas of all different departments: legal, IT, marketing, services, sales, and human resources—just to name a few. And of course data is stored in an equally wide range of formats--in emails, Word documents, spreadsheets, and data bases--and even in the cloud. Often, that data is dark or rogue data that isn’t easy to find or categorize, or that individuals may not even know exist! In cases like those, organizations may have to undertake a much more technology-focused data discovery process to uncover all the data it needs to be aware of across the entire organization.

One of the most important reasons to have an accurate data inventory is that it’s nearly impossible for an organization to be sure they’re complying with any law or regulation regarding their data if they don’t have an up-to-date and well-maintained data inventory. With potential non-compliance penalties of up to 2% of global revenue under GDPR, the failure to create and maintain a data inventory can be far more costly than the expense of investing in completing one. Completing a data inventory can help reveal how risky an organization’s storage practices are, and potentially unveil new risks as well.

A data inventory provides an excellent return on investment by giving organizations several abilities it might not otherwise have.

  1. It shows organizations what data they have, including dark data that may not have been widely known to exist.
  2. It allows organizations to identify which sources of data are trustworthy.
  3. It allows organizations to see where they have data that is sensitive or subject to regulatory or policy controls.
  4. It allows organizations to identify data that has value but is not being used or monetized effectively.
  5. It allows organizations to identify data that poses risks that are not commensurate with its business value.
  6. It allows organizations to see data that is subject to other controls such as a legal hold or investigations.
  7. It helps inform roles and responsibilities, so the organization can make intelligent business decisions about how to maximize the value of the data and minimize risks without interfering with investigations and legal processes or violating any regulations or policies.

I think organizations need to take an active approach to data management, and usually that includes a really robust data disposition plan and includes as much automation as possible,

The point of the data map is to really be able to quickly find and preserve responsive data, where your contracts are stored, where your emails are stored, where your accounting records are stored, etc.

Tara Van Dyk
Director of Client Solutions for Epiq

This is an ever-growing problem...

With the large amount of data we’re easily storing in the cloud, or sending back and forth in different collaboration tools, the volumes are just growing and growing. And we still have all the other things, like Google Drive and Dropbox, that we were using before. Knowing where this data lives and how to access it for investigative and litigation purposes is imperative.

Tara Jones
Legal Services Manager for Verizon Media
E-Book: How to Build a Data Inventory at Your Organization

Challenges of Creating and Maintaining Your Data Inventory

Since all of the questions surrounding compliance to data privacy regulations start with the organization’s data map, it needs to be built the right way. Data mapping is complex and challenging—and there are pitfalls to avoid. It’s a big focus in terms of time and resources, so doing it efficiently is key. Below are four common challenges and shortcomings associated with data mapping and how they can be mitigated.

Too Time Consuming Many organizations that begin the process of developing a data inventory experience a project failure due to the extreme amount of time it takes to finish the process. But that doesn’t have to be the case—there are ways to significantly ease the data mapping burden: It starts by defining a process for gathering information. In most cases, systematic interviews with data stewards are the most efficient way to collect info for a data map. Using simple and template-based questionnaires or leveraging systems that can automate the interviews so that follow ups, reminders and update questionnaires can be pre-scheduled and responses automatically logged are effective ways to

An Incomplete Data Inventory. Perhaps the most common mistake organizations make with data maps is that they omit important information and therefore render the data map far less useful than it should be. Remember that the purpose of the data map is to be able to find data when requested wherever it may be in the organization, and that an incomplete data map means that it’s possible that a request to find all data is not able to be totally fulfilled.

Accounting for ALL Data Sources. For a data map to be effective, it has to be comprehensive. In today’s digital world, that means it must account for things like mobile devices and cloud-based applications, including social media, since data from these sources is increasingly being sought in litigation. It is critical to identify how and by whom these sources are used and any relevant data that may exist on them (customer service records, marketing materials, etc.).

Updating the data inventory. Think of a data map as a product, not a project. Like a product, it should be constantly evaluated, updated and assessed for quality. Failing to take this approach usually results in a data map becoming outdated before it provides any real value to an organization. It’s also important to build the inventory in a way that is easily accessible and helpful to those who use it; in other words, massive spreadsheets or diagrams that don’t integrate to all data sources makes it difficult to effectively respond to requests for data— and difficult to identify when a new data source has been created.

E-Book: Mastering Data Privacy

The Case for a Comprehensive Data Mapping Strategy Led by Legal

Exterro’s 2020 In-House Legal Benchmarking Report found that a majority of organizations task IT (54%) with ensuring that data is managed to comply with legal requirements surrounding retention, litigation, and cybersecurity. Surprisingly, only 17% of Legal departments say this duty is in their hands; this is not ideal, because IT may not be well-versed in the rules and requirements surrounding the management of certain types of data. And since regulatory compliance fulfillment is not led by IT, unless there’s a dedicated IT professional that understands these requirements and works with Legal, the amount of time spent back and forth to educate both teams on every side of the puzzle becomes a time-consuming endeavor.

Brett Tarr, a Senior Manager for law firm Ernst & Young, says that it’s imperative for Legal to quarterback an organization’s data management strategy.

I think starting with Legal is probably pretty prudent because ultimately, the burden for managing violations in discovery, in privacy, and other regulatory compliance falls upon Legal,

Really, the buck stops there and Legal needs to be, if not the, then certainly one of the leading voices in understanding the risk and quantifying it for the organization. That leads to a process where you understand, organize, and manage enterprise data based on the requisite risk that each type of data creates.

Everything else that falls from there starts with making sure we can meet our legal obligations, and ensure we’re not creating additional risk for the organization. Logically, your next steps then come into the length of time that information is useful, and how to go about building in retention requirements, along with remediation and disposition.

Brett Tarr
Senior Manager for law firm Ernst & Young

If Legal is able to serve as guideposts to help direct conversations, measure risks, and ensure that data can be mapped to support the preservation and collection response requirements, the entire enterprise should benefit,

On-Demand Webcast: Data Inventory - The Building Blocks to Achieving Your Legal GRC Objectives

The Basic Steps to Develop a Data Inventory

Understanding how different business units plan to interact and use the data map will help guide the information gathering and make the process of building the map far more efficient. Your data inventory should allow you to answer questions about your data. Take a moment to consider each of these questions to be “must know” pieces of information that your organization’s data privacy officers should have positive, “yes” answers to the following:

  • Is it easy to filter and identify the inventory contents based on any parameter, including regulatory statutes?
  • Is it easy to update, maintain, and ensure that the inventory contents are accurate?
  • Is the data able to be identified by record type, regulatory standard, and other variables?
  • Can you easily understand the context in which the data is collected and /or used?
  • Does it document all your organization’s data?
  • Can it include information held by that collect, store and use data on your behalf?
  • Can you identify classes of data subjects by how they interact with your business?
  • Can you identify where in your business process related data is stored?
  • Can you identify the relationships between business processes and data?
  • Can you identify the collection methods of that personal information?
On-Demand Webcast: Alleviating Data Privacy Concerns by Knowing Your Organization’s Data Environment

Automating Your Data Inventory/Map with Technology

A modern, enterprise-class data inventory, put simply, is a central location for identifying all of your organization’s data—neatly identified and organized in a single platform—that must include a library of regulatory laws regarding retention, and guidelines for making informed decisions when choosing to remediate or otherwise take action with your data. Built in this way, data stewards are able to visualize all relevant data in one location, rather than having to seek out and hunt down disparate pieces of information from what could be hundreds of thousands of different shared drives, hard drives, or file cabinets across an organization.

Choosing the right partner to help you build this inventory is critical: It often is the difference between projects lasting 30 days or six to 12 months or more. The right partner will help your company properly scope the project to ensure that organizational expectations for your data inventory are met. This usually includes access to customizable process templates that help leverage their expertise in the market, guidance on how to account for regulatory and corporate retention policies, in-depth assistance to ensure a quick and timely completion of the project, so that all stakeholders are happy

Are you ready to see what a modern, enterprise-class data inventory can do for your overall Legal Governance, Risk and Compliance strategy?
Get a Free Demo Today