A data inventory is a detailed account of how a business processes personal data. While this is not an exhaustive list, a data inventory should contain information such as purpose of collecting the data, volume of individual data subjects, types of data subjects and the type of technical and organizational security measures to protect the data.

The average time to create a new data inventory may take several months or longer for large organizations. The first step for any organization creating a data inventory is the planning phase which consists of identifying and selecting a data privacy technology platform as well as identifying the team and stakeholders that will be responsible for managing and maintaining the data inventory.  Ankura recommends that the organization design a data inventory that encompasses the core data privacy topics which will require minimal net-new information to be gathered as new regulations emerge.

Most organizations that have prepared for the General Data Protection Regulation (GDPR) or California Consumer Privacy Act (CCPA) already have a data inventory in place and likely just need to update it to include information to support compliance with the California Privacy Rights Act (CPRA) and other pending U.S. state laws set to go live in 2023. 

Steps organizations should take to update their data inventory for 2023: 

1) Identify additional information that needs to be collected for upcoming U.S. privacy regulations such as the California Privacy Rights Act (CPRA). The four areas we commonly encounter that need to be updated in inventories prepared in response to the CCPA are listed below.

• Expand the inventory to include business-to-business and HR data subjects. The California Privacy Rights Act (CPRA) goes into effect on January 1, 2023, and expands the scope for data subject request rights and notice requirements to include employee and business-to-business data subjects. 
• Gather information regarding records retention. As our team has reported in prior articles, the CPRA suggests disclosures of retention period by category of personal information will be required in organizations' external facing privacy notices. Collecting records retention information via the data inventory will create efficiencies and allow organizations to meet these obligations.
• Identify processes that perform automated decision making. 
• Identify sensitive personal information (including precise geolocation under the CPRA) that is being collected or processed. CPRA affords data subjects the right to limit the use and disclosure of sensitive personal information which makes it critical to understand what sensitive personal information your organization collects or processes.

2) Update the point of contact in the organization who can provide details needed to update data inventory records. We have seen a surge in personnel shifts within organizations over the last couple of years. Updating the point of contact for specific assets and processing activities within the data inventory is critical. It is also very important to provide training to new team members who may now have a role in maintaining the data inventory.

3) Confirm information the organization previously collected is “refreshed” or reviewed for accuracy. As mentioned previously, we find that the time required by business teams to review or “refresh” inventory records can be less than half of the initial time investment compared to the initial data inventory build.

4) Remove information that is outdated or obsolete. For example, did the organization change the tool or asset it is using to perform a business process that involved personal information? Absent a data inventory maintenance process or target operating model that integrates Privacy Impact Assessments (PIAs) or other mechanisms to keep your inventory evergreen, we often see stale information that can be removed or updated to reflect the current state.

5) Provide training to those involved in the data inventory process. Ensure that new team members who are reviewing or participating in the data inventory for the first time are appropriately trained. Additionally, ensure those who have participated previously are trained and made aware of the upcoming regulations as these emerging privacy regulations have significantly shifted the U.S. privacy landscape. 

The data inventory acts as the foundation of an organizations privacy program. As we continue to navigate the rapidly evolving U.S. privacy landscape, we will continue to rely heavily on the data inventory to inform and comply with the upcoming regulations. It is vital that organizations either create or update their data inventory now to prepare for the regulations going into effect January 1st, 2023.