An accurate, up-to-date, comprehensive data inventory is the foundation of legal organizations’ privacy, governance and risk management activities. Without one, the organization will suffer from inefficient processes, missed opportunities, gaps in coverage, and overall poor execution. It is vital that legal and compliance leaders implement a data inventory management process that is effective for their organization.

There are four techniques that are used to implement this process: a consultative approach, data scanning, privacy assessment, and a combination approach. There are benefits and drawbacks to each, but in the end, the combination approach used by Exterro Data Inventory has been proven superior in nearly every circumstance.

The 4 Approaches to Building a Data Inventory

#1: The Consultative Approach

This approach involves using a consulting firm, typically a big-4 type firm, to compile the data inventory. This approach seems low risk, as these firms do have substantial expertise and tools available to them for this activity.

What is the approach?

The firm will do a detailed study of your data environment. Typically, this will involve both detailed examinations of the technical environment using their own proprietary toolset as well as interviews with the business users

How long does it take?

Consulting firms always have incentives to leave no stone unturned, so these projects tend to be lengthy, often taking years to complete.

How much does it cost?

Given the manual nature of the activity, these projects cost hundreds of thousands to millions of dollars.

What are the risks?

The risk is that the process is not repeatable without engaging that firm or one like it in a similarly sized effort.

What do you get?

The output is a comprehensive report of what data you have and what it is. While this content is correct and likely fairly complete, in report form it is not usable as part of daily processing activities.

#2: The Scanning Approach

Scanning is an approach that is often seen when the IT organization leads the data inventory effort. This approach is sometimes referred to as data discovery. It uses software tools to examine each data source and extract metadata from it. These tools examine the data itself and construct meaningful metadata from these observations. AI techniques have led to innovative capabilities especially in the area of personal information. Technologies differ in how they find the data sources; some act as “network sniffers” and detect data activity on the network. This approach is highly automated, but only yields information about the data in active use. Others will leverage a Configuration Management Database (CMDB) and extract the list of known data sources. All claim to discover “dark data” but in fact this capability is always incomplete.

What is the approach?

Software uses various techniques to find data in your environment and identify its type, nature and purpose. Techniques for finding data include network sniffers to detect data activity and products that load data sources from a CMDB.

How long does it take?

While building custom patterns is not hugely challenging, training ML algorithms requires accurate and precisely labelled data sets. Creating these curated data sets of the size and range needed to create accurate PII detection can take months. Data volumes also create challenges, so sampling techniques must be used.

How much does it cost?

Prices depend on the number of data sources and volumes of data. For Global 2000 companies yearly subscription costs can run in the millions.

What are the risks?

The process is dependent on the accuracy of the original training data set. As the composition of data changes that set becomes less accurate. This requires the training activities to be repeated regularly, as each time the scan is run it is less accurate than previously.

What do you get?

The process is dependent on the accuracy of the original training data set. As the composition of data changes that set becomes less accurate. This requires the training activities to be repeated regularly, as each time the scan is run it is less accurate than previously.

#3: The Assessment Approach

Assessment is the term used to describe the process of interviewing or surveying individuals who have knowledge of the data and its uses, and then collating that information. Surveys are the most common assessment technique used. Privacy products use this technique often, as this is the only way to get information about data ownership, stewardship, and uses, as well as semantic information. This information is vital to understanding how the data is used as part of business records and business processes. This understanding is the key to many of the operational processes within the legal and compliance organizations. For example, data retention obligations are nearly always expressed in terms of business records, not data.

What is the approach?

Survey software enables you to send questionnaires about your data to SMEs and users.

How long does it take?

This process usually takes months to identify the right stakeholders, develop the questions, and then execute the survey. The survey development is particularly challenging and is often the part that is short-changed for the sake of time.

How much does it cost?

These solutions are quite inexpensive, and can even be executed with basic survey tools.

What are the risks?

No best practice question content in the tools. Without expert guidance on how to conduct the assessment and who to include, most organizations get very poor results. Results are often free form text which is nearly impossible to use.

What do you get?

This gives you a good view of what data is used by the organization, how it is used, and what it means. However, it misses data that is not part of formal processes. It also can give a one dimensional view of the data, since it does not find out about the technical characteristics or information that can be interpolated from the data itself.

#4: The Combination Approach

A combination approach relies on using portions of different approaches in conjunction with one another to achieve a more complete and holistic view of your data. The best of these combine the assessment approach with the scanning approach. This creates the maximum amount of information about your data in an automated way, and also harvests the expertise of your community regarding the data’s value, its uses, and its meaning. The challenge is always how to represent both sets of data in a way that enables their combination. Few products have successfully overcome this challenge.

What is the approach?

Exterro Data Inventory uses both an assessment and data scanning approach in combination. This provides the best of both worlds, giving a technical view of the data from the scan, and business contextual view of data from the assessments. Exterro's assessment tools are pre-populated with industry specific content, and come with expert guidance on performing the assessments. The resulting inventory is a complete contextual view of data, and includes dark data.

How long does it take?

Exterro Data Inventory has been implemented with customers in as little as 60 days, and time to value can be even shorter than that.

How much does it cost?

Pricing varies by size and number data sources.

What are the risks?

Exterro Data Inventory gives you a complete contextual view of data. The only risk is discovering that there is much more data than originally thought.

What do you get?

A fully actionable data inventory that can be used to implement an operational retention schedule, perform Article 30 reporting, respond to PIA’s as well as many other legal and cybersecurity initiatives. There is a complete contextual view of data, and an automated, repeatable process that keeps it up to date.

Conclusion

While each of these approaches will yield a data inventory, Exterro believes that the combination approach is the best one. It provides the highest level of automation and the critical information that is kept in your employee’s experience. It delivers the most comprehensive and richest data inventory and can enable numerous processes for your regulatory compliance, such as data retention, data subject requests, and vendor risk profiling. Help your organization create the best possible data inventory. Contact Exterro today.