What is a Personal Data Inventory?
A personal data inventory is simply a record of all the personal data that you collect in your business.
It’s often called a Personal data mapping exercise and works best using a spreadsheet or table. It’s like a stock take of the personal data you collect in your business.
When it comes to GDPR, we are often told that having a Privacy Policy is the first thing that we need to implement to comply with Data Protection law. But it’s really not !
Before you can write a Privacy Policy, you need to have a really good understanding of all the different types of personal data you collect in your business. One of the first questions I ask clients when they come to me for support with their Privacy Policy is – “Do you have a personal data inventory?” And if not, I give them a Personal Data Inventory template and talk them through how to complete it.
Having a clearly laid out Personal Data Inventory makes writing your Privacy Policy so much easier.
How to get started with a Personal Data Inventory
The first thing to think about is the different categories of people and personal data that you deal with in your business.
There are the people that you want to work with – your “prospects” – chances are you may only be collecting limited information – perhaps a name, email address, IP address and location? Or perhaps you are also keeping a record of their social media pages and information that you find there?
Then you’ve got your clients – once you start working with someone, depending on the nature of your business, you will be collecting a lot more personal data about them. And this may vary depending on the different services you provide to them.
You’ll then need to think about why you need each bit of personal data, what your lawful basis is for having it, and how long you keep the personal data for.
Once you’ve completed it, your Personal Data Inventory will act as a central record of all the personal data you collect in your business.
Keeping a Personal Data Inventory Updated
Whenever you change something in your business or start to do something new you should add it to your Personal Data Inventory – it should also prompt you to make any relevant changes to your Privacy Policy too.
For instance, let say that you decide it would be a great idea to start sending your email subscribers a special offer or discount voucher for their birthday, but you haven’t previously been collecting their birthday date.
You would of course need to ask them to provide you with their birthday so that you can set up an automation in your email marketing software to send the email on a specified date.
You would add this to your Personal Data Inventory and you would absolutely need to update your Privacy Policy to inform people why you collect information about their birthday and how they can opt-out of having their birthday stored in this way.
Top Tip
Keep a version number and date of your Personal Data Inventory and keep it somewhere safe.
Each time you add to it or update it, give it a new version number and date so that you always have a previous record to refer back to if you need it.
And finally make a diary note to check it every six months to make sure it’s current and up-to-date.
What are the benefits of a Personal Data Inventory
Completing a Personal Data Inventory really helps you to be clear on what you are doing with other people’s personal data, it gives you the opportunity to see at a glance who you are sharing personal data with and where you are storing it.
This is essential when you are writing your Privacy Policy – or asking someone to write it for you, believe me, it will make the whole process so much easier!
Another benefit of maintaining a Personal Data Inventory is that if you ever receive a request for information – “a Subject Access Request” – you have a central record to refer back to. It will really save a lot of time when you are thinking about what information you have about someone, where it is saved and who (if anyone) you may have shared it with.
It will also identify any places that you need to remove or delete personal data if someone asks to be forgotten or objects to your keeping their personal data.
Your Personal Data Inventory can act as a prompt to remind you to review your records and files and delete personal data when you no longer need to keep it.
And it can help you to identify any processes that you have in your business that could be exposing you to risk of a data breach or loss.
But above all, having a Personal Data Inventory helps you to comply with GDPR and Data Protection regulations and your responsibilities as a business owner under the Accountability Principle of The Data Protection Act 2018 in the UK.
It shows that you have taken time to think about and map out all the personal data in your business. And it’s a great way to demonstrate that you are keeping records of how you process personal data.
Completing a Personal Data Inventory may seem like a lot of work to start with, but it’s time well spent as it can save you a lot of time in the long run.
