While the concept of data inventory is not new, it has taken center stage the past few years. Regulations like the General Data Protection Regulation (GDPR), the California Consumer Protection Act (CCPA), and many others on the horizon, are the driving factors for businesses around the world taking a much closer look at their data.
Why is data inventory important?
At a minimum, data inventory—sometimes called a data map—is important because knowing what data your business collects leads to improved efficiency and increased accountability for everyone in the organization. The results from data inventory can also lead to better overall reporting, decision-making and operational performance optimization.
Committing to a data inventory strategy also helps to assess and reduce risk and uncertainty by developing a checklist for security and compliance requirements. Together, data inventory serves to designate and ensure accountability, better align organizational mission goals, increase confidence and consistency, and build intelligence and performance.
Without an accurate inventory, it is far more challenging to assess any underlying risk, which can further make it difficult to identify the controls that your organization needs to protect your valuable information assets.
Data inventory helps organizational leaders understand where all the data is coming from
With multiple streams of data entering the pipeline into your organization’s information system, it is vital to understand where it all comes from so you can better organize, access, analyze and protect it.
Here are just a few common sources of data to consider:
- Internal business systems that include accounting, point-of-sale, manufacturing shop floor systems, and inventory and warehouse management.
- Cloud storage and cloud-hosted systems that rely on web-based software products and processes.
- Third-party systems such as data feeds from customers or suppliers like electronic data interchange (EDI), which electronically communicates information that was once communicated via paper.
- External data sources that might include maps, geolocation, or government or public information.
- Internet of Things (IoT) that draws information from devices like cameras, smartphones, sensors or thermostats.
Performing data inventory gives you tools for better access to information
Gaining better insights into the type of data you collect, where it is held, with whom it is shared, and how it is transferred provides you with better accessibility, in addition to previously mentioned benefits.
Improved accessibility is based on learning more about where your data is stored, how well various systems communicate or integrate, whether there are unique keys to link related data between sources, and whether there is duplication or possible conflicts between different data sources.
When you get to the bottom of these issues, you can create more streamlined pathways to accessing data quickly and easily.
What to keep in mind when conducting a data inventory
If you are planning to conduct a data map or data inventory for your organization, it may help to keep the following considerations in mind:
- All the departments that are most likely to contain data.
- The contact person in each department with whom you can discuss data they may have.
- The best means of communicating with each contact person, such as whether you might send a questionnaire or speak with them directly.
- The types of personal data you need to collect within your organization, and whether you should learn more about the reason why your organization is holding the data.
- It is also important to know how long the data is kept, where and how it is regularly transferred, and the type of security used to protect it.
- The stakeholders in your organization that may have a special interest in the outcome of your data inventory, such as a privacy officer, chief information officer or data protection officer.
- The inactive systems, as well as active systems, to make sure you don’t miss valuable data inadvertently left in a defunct system.
- Take into account any possible compliance regulations that may affect your data and your data map, such as data related to individuals in European nations that may be subject to the GDPR privacy rules.
- Internal resource capacities and constraints, such as time and available staff, to conduct the data inventory.
There is no one-size-fits-all approach to data inventories to determine what you have
While there are general guidelines for performing data inventories, such as determining the scope and cataloging assets, most can be customized to fit your organization’s needs.
Take the time to look at your needs for your first, or next, upcoming data inventory to determine the best approach to help you determine what you have.
If you do not have staff or time to spare, consider reaching out to an external organization, such as GBQ’s IT Services team, who have experience in conducting such critical exercises to save time, human resources and money.
GBQ IT Services is one team of builders, breakers, operators, and auditors with access to a consortium of 50 experienced IT, cyber and assurance professionals delivering IT risk, cybersecurity, and productivity solutions.
We build value through IT strategy; protect value with information risk and cybersecurity services; measure value and improve productivity with data analytics and process automation, and assure value through IT audit services.