Simply put, a data processing inventory is a repository of everything your organization does with data.
Since the General Data Protection Regulation (GDPR) and other privacy laws came into full effect, what your organization does with the collected data is no longer just your business.
It is the right of every data subject to know what you do with their data, while you are obligated to keep a record of processing activities and provide it to the supervisory authority if asked as a demonstration of compliance.
That is why the data processing inventory should be much more than set and forget records of processing activities in an Excel sheet.
Data processing inventory is at the heart of any privacy program because it all starts with understanding and recording personal data processing within the organization.
We can even go a step back and say that when building a privacy program, you should do your best to become familiar with the business, people, and data within the organization.
Then you should find a way to record it in a data processing inventory.
Creating a data processing inventory
The task of creating a data processing inventory is not an easy task.
It demands a thorough investigation of existing personal data assets within the organization and ongoing data-driven business processes.
As a part of this investigation, it is critically important to understand and record the purpose of every processing activity.
When the purpose of data processing is recorded correctly, then the decision can be made on which lawful basis applies to each processing purpose.
This decision is the turning point in the process of populating a data processing inventory record.
It defines, for each processing activity, which additional privacy-related information needs to be discovered and managed.
In addition, it defines which processing activities need further justifications that need to be documented by the organization.
When is the purpose defined?
The purpose of the processing is usually defined long before privacy assessment or even before the existence of the Privacy program within the organization.
The purpose of the processing is at the core of the business and tied to the organization’s strategic goals.
The bank could be collecting personal information in order to process an individual’s loan or mortgage request, or the hospital is processing a patient’s diagnostics data.
When starting a privacy program, the purpose of processing activities needs to be understood so the processing can be checked against the data protection principles.
Privacy professionals need to check if the lawful basis for processing has been correctly identified and if processed personal data is adequate, relevant, and limited to what is necessary for the purpose (‘data minimization’).
Since privacy programs are usually started long after the initial (business) purpose is clearly defined, there is often a shortage of people in the organization who genuinely understand the big picture of business processes and their purpose.
Furthermore, the data is mostly processed in distributed ICT systems managed or operated by IT, and there is a gap in understanding what goes on with the data inside the systems once it is collected from the individuals.
An example of complex data processing
Let us take an example of an analytical solution for business reporting.
Analytical systems are usually made of several key architectural components.
These components include a copy of the organization’s application data (copy of a CRM database, HR database, Marketing database, etc.).
It also includes data warehouse or Data lake databases where this data is transformed to fit better analytical processing, a reporting application for corporate business intelligence reports, and a data science platform to run different mathematical algorithms and find new and business-relevant patterns in the data.
We live in the age of big data, and organizations are collecting and processing as much data as possible because it has value and it makes sense for the business.
For the same reasons, there are many users within the organization with access to the analytical data.
Users with roles such as business analysts, data engineers, and data scientists.
There are also users consuming the data for marketing and sales purposes, creating profiles of the individual, and targeting individuals with personalized content.
The IT users are also monitoring and predicting the usage of the applications and users from different organizational units who are a part of the core business, analyzing the performance of the organization’s products and services.
The technical aspect of data processing
Now, this may already sound complex, but it gets even more complicated when you dig into the technical details.
Today, hybrid IT environments, including data processing in the Cloud and on-premise, are a part of everyday business.
There is a lot of analytical Software as a Service (SaaS) applications, and businesses are making use of it, meaning personal data is flowing between applications and data servers in different locations all around the World.
The data within these systems also come in different formats and with different structures, including standard relational databases, analytical relational databases, NoSQL databases, and a range of big data platforms.
As a Privacy professional entrusted with assessing and monitoring the organization’s compliance with data protection laws, you need to understand what goes on with the data in the analytical system.
Moreover, you need to understand the purpose of all the processing taking place.
- Want to find out how to identify the processing successfully?
- How to define privacy responsibilities?
- How to work closely with different business units?
- How to create and maintain a data processing inventory?
Download the white paper and continue reading…