As data privacy & cybersecurity regulations continue to amass, the essential first step for compliance with any of these regulations remains the same - you must understand your data. A data inventory is the foundation of defensible compliance with key regulations. In this newsletter, we'll answer some common questions about data inventories.
Who are the primary regulators that explicitly or implicitly require a data inventory?
Data privacy and cybersecurity regulations don't explicitly require companies to develop a data inventory or provide data maps. The General Data Protection Regulation has the most prescriptive requirements of any regulations thus far for compliance reporting and documentation. However, companies cannot reasonably or defensibly comply with the regulations if they don't first know where their information is stored, who has access to it, or how it is processed.
The EU Data Protection Authorities, the FTC, the SEC, as well as the world's leading law firms have all published regulatory guidelines that specifically include the development and maintenance of a comprehensive data inventory.
How does a company demonstrate a defensible process when regulators come calling?
Data privacy and cybersecurity regulations are principle-based, which means they are rather ambiguous. So, it is essential that companies have exceptional documentation about how they evaluate, understand, and address their risks to their personal and sensitive data – in all media types and locations. A structured process for developing and maintaining your data inventory, as well as for identifying third-party service providers, relevant to the regulations will be critical in the event of a complaint, violation, or breach.
When asked how companies should reasonably comply with the regulations, Colorado's Office of the Attorney General responded, "What is reasonable will be further defined through case law that evolves as a result of the enforcement of this law as well as other state laws with the same or similar standards." In other words, companies must "wait and see" based on litigation that results from these regulations.
What are the key elements of an effective data inventory?
An effective and actionable data inventory identifies sensitive and personal data across all processing activities in all media types and locations and links essential elements together in a granular and meaningful way. The essential elements include processing activity, data subjects, applicability by residency, media types and locations, third-party access and sharing, and retention regulations.
What are the key questions that need to be answered?
In developing your data inventory, you should consider the following questions:
What sensitive and personal data do you have?
Where is sensitive and personal data stored?
Whose information do you access, process, store, or otherwise control?
What specific types of information do you have?
Who has access to your sensitive and personal information?
How long do you retain sensitive and personal information?
What is the legal or business purpose for retaining this information?
How do you protect this information?
Jordan Lawrence's Data Inventory Service is the most effective and defensible way to accurately develop and maintain a comprehensive data inventory. From initial development to ongoing maintenance, Jordan Lawrence has you covered.