close
close
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
header image

Step Three Know Your Data Contextually

Understanding the personal data you hold, where it’s stored, and how it’s used is an ongoing challenge. Most companies today grow organically with the help of an increasing array of external technologies supporting everything from recruitment to office productivity to outbound marketing.

As a result, organizations end up with a sprawling data footprint across locally owned databases, cloud-based servers, SaaS solutions (e.g. Salesforce, Snowflake, Slack, Shopify, Zendesk, Zoom, etc.), and throughout their supply chain.

According to Okta’s “Businesses at Work 2023” report, large companies (2,000 or more employees) use an average of 211 different software applications across operations, many of which involve personal data. Compounding the sprawl, many companies aren’t fully aware of all these systems.

An effective privacy program tackles these blind spots from the start. It implements system and data discovery and the process of relating that information through data mapping as a foundational activity.

This kind of actionable visibility lies at the heart of GDPR’s Article 30 processing record.

Data Inventory

Captures data assets and repositories

Can cover any type of data, including personal data.

Typically used by IT, Security, and Information Governance/Records Management functions

Asks:

  • What is the repository?
  • Where is it?
  • Who owns it?
  • What data is in it?
  • How much data is there?
  • How is the data classified?
  • How long is it held?
  • How are assets kept safe, accurate, and accessible?

Business Process Inventory

Captures an organization’s business processes and activities

Can cover any business process or activity

Useful to Finance, Legal, and other business management functions

Asks:

  • How do we collect data?
  • Why do we use the data?
  • Who’s responsible for the activity?
  • What other parties are involved, internally or externally?

Record of Processing Activity (RoPA)

Summarizes how personal data (PD) is managed in line with legal, technical, and organizational responsibilities

Can cover one or more related business processes, systems, and geographies

Typically used by Legal and Privacy functions

Asks:

  • Why do we use PD?
  • What is our legal role?
  • What is the legal basis for the activity or activities?
  • Whose PD do we hold?
  • What types of PD do we hold?
  • Where do we collect or hold PD?
  • Who is PD shared with?
  • What other parties are involved?
  • Is PD transferred or accessed internationally?
  • How is safety ensured?
  • How long is PD held?
  • Are special safeguards used?

An up-to-date, tailored RoPA is more than a snapshot in time. It’s a branching-off point for other privacy management activities like conducting data protection/privacy impact assessments and maintaining privacy policies.

icon

Bottom Line:

Discovery and contextualization through data mapping is a foundational privacy management activity going beyond asset cataloging. Knowing what personal data you have, where it lives, and why you have it provides actionable visibility into your business activities.

How to Get Started

icon

Live Data Map in DataGrail accurately maps your company’s personal data and generates Inventory System Reports toward RoPAs.

In DataGrail, choose Live Data Map at the top of your screen to get started.

Live Data Map Overview

icon

DataGrail automatically maps and pre-populates information about connected systems, but we can get even more tailored with your system and processing reports.

Request a demo to learn more about RoPA exports and adding custom questions to your inventory system reports.

icon

Connect with other pros (free) to discuss data mapping and RoPA best practices. Join the Privacy Basecamp Community.