FieldNotes | Data Inventories, Part 1

Updated: Mar 12, 2019

U.S. and international regulations and laws require companies to conduct full-scale personal data inventories, resolve issues that are surfaced, and maintain an up-to-date inventory for ongoing compliance and reporting requirements.

This is clear in both the regulatory requirements as well as guidance published by regulators and data protection authorities. Failure to adequately identify, address, and minimize risks to personal and sensitive data can result in significant legal and financial harm.

You must know where your data is to protect it, delete it, report on it, and produce it. A defensible data inventory identifies where personal data exists, processing activities, transfers, storage locations, access levels, retention periods, and other critical elements. Developing and maintaining an accurate, up-to-date data inventory doesn’t have to be confusing or complicated

Data Inventories & CCPA

As the Attorney General clarifies provisions and issues regulations to implement the California Consumer Privacy Act (CCPA), the experts continue to weigh in with insight on key components of compliance, with data inventories playing an essential role in defensible compliance.

Donna Wilson of Manatt pointed out in a recent webcast on the topic, “[Data mapping is] a best practice regardless of the GDPR or the CCPA”.

Many of the rights conferred by the CCPA are new to U.S. residents. Two of the key data access rights include:

  • RIGHT TO ACCESS: Residents have the right to request that businesses disclose the categories and specific pieces of personal information that it collects, the categories of sources from which that information is collected, the business purposes for collecting or selling the data, and third parties with whom data is shared.

  • RIGHT TO DELETION: Residents have the right to request deletion of their personal information and require businesses to delete their data (with exemptions outlined in the CCPA).

The CCPA applies to personal data residing in all data sources and locations. Successfully navigating and responding to data access requests requires organizations to have a comprehensive understanding of where personal data exists. Most companies are surprised to discover exactly where their data resides.

“Companies will need to take a number of affirmative steps to comply with the new requirements, including preparing data maps, inventories or other records of all personal information pertaining to California residents, households and devices, as well as information sources, storage locations, usage and recipients, to add newly required disclosures to privacy policies, to prepare for data access, deletion, and portability requests, to secure prior consent for data sharing from parents and minors and to comply with opt-out requests to data sharing.” - IAPP, Analysis: The California Consumer Privacy Act of 2018

The table below provides an overview of what other key data privacy & cybersecurity regulations have to say about data inventories. For more on how Jordan Lawrence can help you meet CCPA requirements, click here.

Jordan Lawrence's Data Inventory Service is the most effective and defensible way to accurately develop and maintain a comprehensive data inventory. From initial development to ongoing maintenance, Jordan Lawrence has you covered.


Contact Us

© 2019 Jordan Lawrence. No legal representation made.

Jordan Lawrence is not a law firm and does not provide legal advice.