Follow ACC Docket Online:  

This Week in Privacy: Why Your Company Needs a Data Inventory

"This Week in Privacy” is a new column for in-house counsel who need advice in the privacy and cybersecurity sectors. K Royal is a director at TrustArc. To have your legal privacy questions answered, email with “This Week in Privacy" in the subject line.

Q: Why do I need a data inventory? No one in my company actually wants to do it and it’s a lot of work.

A: Data inventory, once completed, can save you a lot of work in the long run. Once you know where your data is, what data you have, who uses it, and where — and how long — it is kept, then you can streamline a lot of decisions, especially if you also have a data classification. The most common classification is simple: public, private, confidential, and highly sensitive.

Sure, you can get by without data inventory, but then you have terabytes of data (including paper, back up tapes, etc.) in places that no one knows about or uses. This is a huge risk for a data breach.

Setting up a data inventory simplifies the determination of privacy impact. For example, when a new project, product, or use for data comes along, you know what is classified in what category, where it is, who uses it, and what it is used for.

This is especially beneficial when considering what is shared externally — whether to an active data processor (a vendor who does something with the personal data for you), or to data storage (which is technically still a processor under EU definitions).

A data inventory is also helpful when implementing a large data project, such as replacing an ERP system. It truly saves time and effort on design.

While it is a lot of work on the front end, it’s useful on the backend as well. There are vendors who can help you set it up, but someone must be attuned to keeping it updated.

About the Author

K RoyalK Royal is the technology columnist for, and director at TrustArc. @heartofprivacy

The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.