TrustArc Blog

How to Maintain a Data Inventory for GDPR Compliance – Tips from TrustArc Privacy Experts

August 22, 2018

Now that the GDPR has been in effect for a few months, it is a good time to evaluate your processes and procedures put in place prior to the deadline. Although May 25th has passed, companies still need to be compliant every day after. A fundamental key to staying compliant is introducing a regular review process.

As a reminder, Article 30 requires companies to produce “records of processing activities”, which will allow regulators to see that companies are adhering to the GDPR. With this goal in mind, the records should show why and how the data is being processed.

A data inventory process that focuses on how data is collected and why it is collected will help you adhere to GDPR requirements. Strictly focusing on the data elements themselves may cause a company to overlook important elements. For example, if an online clothing retailer collected a customer’s national identification number, asking why they need this information would likely tell the retailer it is not necessary to collect that information. Having a process in place will help your teams to keep these things in mind.

Having up-to-date business process information will be key to meeting Article 30 compliance reporting requirements because the company must produce the reports upon request from a Data Supervisory Authority. Maintaining up-to-date and accurate information on your organization’s processing will also help to demonstrate accountability that the processing activities are compliant with GDPR. Using an technology solution can help streamline the process of keeping records of business processes up-to-date and can help produce on demand reporting.

Meeting Article 30 requirements may require some companies to shift the way they approach looking at how data exists in their organization. Instead of creating static lists of IT applications, mapping business processes can help explain the “how and why” of a company’s data processing, thereby making Article 30 reporting easier. Recording information necessary for an Article 30 report while building visual maps of how the data moves throughout the organization is an efficient way to keep track of a company’s data flows and better address risk.

Test Your Process

After developing a new process, test that process to ensure it is working. A great way to test your process is by conducting a simulated data breach, with each team member running through his or her role. To respond to the simulated breach, the team will have to identify the data that was breached, which will require finding where it was residing and which processes were affected. These requirements will force the team to see whether information is being kept up-to-date. For example, would the team be able to identify every vendor that had access to that data?

Many companies find processes that use a particular vendor that may not have been documented. Or, even if processes have been documented properly, a company may realize it requires a more granular level of detail. These simulations should be conducted with a regular cadence.

TrustArc Data Flow Manager can streamline the process, saving time, and TrustArc privacy experts can help you develop a process to maintain compliance. To learn about our unique combination of privacy expertise and purpose-built technology, schedule a demo.