GDPR compliance—the importance of maintaining an inventory of personal data

Publish date:

Understanding the boundaries of GDPR compliance requires organizations to maintain an inventory of personal data

Does your organization need to comply with GDPR? If yes, creating an inventory of your organization’s personal data, supporting systems and processes should be the first step on your GDPR journey.

Everybody knows that meeting any compliance requirement should start with “scoping.” All subsequent compliance measures are applied on scoped locations, organization units, data, processes and systems. More than ten articles in the European Union’s General Data Protection Regulation (GDPR) contain phrases such as “taking into account … scope, context and purpose of processing…” Scoping defines the boundaries of the requirement—with lesser coverage resulting in inadequate compliance and higher coverage leading to unnecessary effort, time and cost.

Inventorying your personal data will help define the scope of applicable GDPR articles. Further, Article 30 of GDPR mandates maintaining a record of processing activities. As part of the inventory, personal data should be mapped to the processes, applications and infrastructure involved in the collection, processing, distribution and storage of data. Mapping helps maintain and monitor GDPR compliance, including data subject rights, organizational and technical security measures, appropriate access controls, breach management procedures and data lifecycle management procedures.

To this end, it’s paramount that your organization creates and maintains the following inventory at a granular level:

  • Details of the personal data collected
  • A description of the categories of data subjects
  • A description of the category of personal data
  • Controller and processor details, including company name, strategic business unit, country, business unit, department, team name
  • A description of the category of recipients
  • The purpose of processing
  • Details of data transferred to other countries
  • Where the data is stored
  • Which applications/technology can access personal data
  • Details of supporting infrastructure
  • The data retention period
  • Organizational and technical measures.

A change management process is needed to keep your organization’s scope both current and relevant. For example, changes in your processor and application/technology, and the introduction of new service lines/processes, will require an update to your inventory.

Whether you’re a small enterprise utilizing spreadsheets to track your compliance or a global organization leveraging a compliance management platform, creating or validating an inventory of your organization’s personal data should be the first step on your GDPR journey.

To learn more about how Capgemini’s governance, risk management and compliance (GRC) services can help you prepare and maintain an inventory of personal data, contact: lakshminarsimhan.s@capgemini.com

 Click here to learn more about how Capgemini’s GDPR portfolio can enhance your reputation and deliver real business value.

Related Posts

GDPR

GDPR: An opportunity to win customer trust

Ramón Pérez Blanco
May 17, 2018

Customers are aware that the scope of privacy is growing. They want transparency. The sensitive...

GDPR

How can online retailers prepare for the GDPR

Sushant Devata
May 17, 2018

The GDPR introduces significant new requirements that impact how organizations handle customer...

GDPR

GDPR—Navigating a Regulatory Minefield

P, Gopichand
March 1, 2018

Applying the right principles for effective and efficient implementation of your GDPR compliance...

cookies.

By continuing to navigate on this website, you accept the use of cookies.

For more information and to change the setting of cookies on your computer, please read our Privacy Policy.

Close

Close cookie information