AI-based solution designed to automate personal data discovery and classification
Discover personal data across multiple systems in the cloud or on-premise
Turn data subjects request into an automated workflow with a clear insight into data every step of the way
Collaborate with stakeholders and manage DPIA and LIA in real-time with Assessment Automation
Privacy portal allows customers to communicate their requests and preferences at any time
Introducing end-to end automation of personal data removal

Latest Blog posts

Learn the terms

General Data Protection Regulation

Here you can find the official content of the Regulation (EU) 2016/679 (General Data Protection Regulation) in the current version. All Articles of the GDPR are linked with suitable recitals.

Latest papers

What is a Data Processing Inventory

What is a Data Processing Inventory

Simply put, a data processing inventory is a repository of everything your organization does with data.

Since the General Data Protection Regulation (GDPR) and other privacy laws came into full effect, what your organization does with the collected data is no longer just your business.

It is the right of every data subject to know what you do with their data, while you are obligated to keep a record of processing activities and provide it to the supervisory authority if asked as a demonstration of compliance.

That is why the data processing inventory should be much more than set and forget records of processing activities in an Excel sheet.

Data processing inventory is at the heart of any privacy program because it all starts with understanding and recording personal data processing within the organization.

We can even go a step back and say that when building a privacy program, you should do your best to become familiar with the business, people, and data within the organization.

Then you should find a way to record it in a data processing inventory.

Creating a data processing inventory

The task of creating a data processing inventory is not an easy task.

It demands a thorough investigation of existing personal data assets within the organization and ongoing data-driven business processes.

As a part of this investigation, it is critically important to understand and record the purpose of every processing activity.

How to populate data processing inventory

 

When the purpose of data processing is recorded correctly, then the decision can be made on which lawful basis applies to each processing purpose.

This decision is the turning point in the process of populating a data processing inventory record.

It defines, for each processing activity, which additional privacy-related information needs to be discovered and managed.

In addition, it defines which processing activities need further justifications that need to be documented by the organization.

When is the purpose defined?

 The purpose of the processing is usually defined long before privacy assessment or even before the existence of the Privacy program within the organization.

The purpose of the processing is at the core of the business and tied to the organization’s strategic goals.

The bank could be collecting personal information in order to process an individual’s loan or mortgage request, or the hospital is processing a patient’s diagnostics data.

When starting a privacy program, the purpose of processing activities needs to be understood so the processing can be checked against the data protection principles.

How to determine data processing activities

 

Privacy professionals need to check if the lawful basis for processing has been correctly identified and if processed personal data is adequate, relevant, and limited to what is necessary for the purpose (‘data minimization’).

Since privacy programs are usually started long after the initial (business) purpose is clearly defined, there is often a shortage of people in the organization who genuinely understand the big picture of business processes and their purpose.

Furthermore, the data is mostly processed in distributed ICT systems managed or operated by IT, and there is a gap in understanding what goes on with the data inside the systems once it is collected from the individuals.

An example of complex data processing

Let us take an example of an analytical solution for business reporting.

Analytical systems are usually made of several key architectural components.

These components include a copy of the organization’s application data (copy of a CRM database, HR database, Marketing database, etc.).

It also includes data warehouse or Data lake databases where this data is transformed to fit better analytical processing, a reporting application for corporate business intelligence reports, and a data science platform to run different mathematical algorithms and find new and business-relevant patterns in the data.

We live in the age of big data, and organizations are collecting and processing as much data as possible because it has value and it makes sense for the business.

For the same reasons, there are many users within the organization with access to the analytical data.

Users with roles such as business analysts, data engineers, and data scientists.

There are also users consuming the data for marketing and sales purposes, creating profiles of the individual, and targeting individuals with personalized content.

The IT users are also monitoring and predicting the usage of the applications and users from different organizational units who are a part of the core business, analyzing the performance of the organization’s products and services.

The technical aspect of data processing

Now, this may already sound complex, but it gets even more complicated when you dig into the technical details.

Today, hybrid IT environments, including data processing in the Cloud and on-premise, are a part of everyday business.

There is a lot of analytical Software as a Service (SaaS) applications, and businesses are making use of it, meaning personal data is flowing between applications and data servers in different locations all around the World.

The data within these systems also come in different formats and with different structures, including standard relational databases, analytical relational databases, NoSQL databases, and a range of big data platforms.

As a Privacy professional entrusted with assessing and monitoring the organization’s compliance with data protection laws, you need to understand what goes on with the data in the analytical system.

Moreover, you need to understand the purpose of all the processing taking place.

  • Want to find out how to identify the processing successfully?
  • How to define privacy responsibilities?
  • How to work closely with different business units?
  • How to create and maintain a data processing inventory?

Download the white paper and continue reading…

New call-to-action

Request a Data Privacy Manager demo

Let us navigate you through the Data Privacy Manager solution and showcase functionalities that will help you overcome your compliance challenges.

Scroll to Top