31.10.

24, 16:31 Top 10 operational responses to the GDPR – Part 1: Data inventory and mapping | IAPP

Store Log In
fication Training Membership Conferences and Events News Resources Enterprise
All News

1 Feb. 2018
Subscribe to Newsletters
Advertise with the IAPP

Europe Privacy Program Management Law & Regulation

Top 10 operational responses to the GDPR – Part 1: Data inventory

and mapping

Rita Heimes
IAPP staff
CIPP/E, CIPP/US, CIPM
8 Minute Read

The European Union’s General Data Protection Regulation comes into force in less
than four months. Even with up to 70 percent of enterprises, globally, predicting
they would be ready by the May 25, 2018, deadline, according to a study conducted
by IAPP in late 2017, thousands of businesses, including many small-to-medium-
sized enterprises, are still struggling to digest dozens of provisions of legislative
text. Importantly, GDPR compliance is not a discrete point-in-time challenge, but
rather an ongoing process that will occupy data professionals in companies all over
the world, for many years to come.

In 2016, the Westin Research Center published the "Top 10 operational impacts of
the GDPR." With more than 70,000 downloads in 2017 alone, this series has
demonstrated great interest among professionals in a practical, tactical package of
GDPR guidance. But spotting issues and analyzing gaps is just the start of the
https://iapp.org/news/a/top-10-operational-responses-to-the-gdpr-data-inventory-and-mapping/ 1/8
31.10.24, 16:31 Top 10 operational responses to the GDPR – Part 1: Data inventory and mapping | IAPP

process. Inevitably, companies need to proceed to the implementation phase and

devise practical operational responses. With companies caught up in a flurry of
activity to get ready for the GDPR, or in full panic mode as they just prepare to
launch their programs, we are now offering a companion series to the
“Top 10 operational impacts," with our new “Top 10 operational responses to the
GDPR" series.

This series of 10 articles is based on our own research, on crowd-sourced

information from our 2017 surveys of IAPP members, and, importantly, on
interviews with leading global experts who volunteered from the IAPP’s Research
Advisory Board. The articles are intended to reflect practical and real-world steps
that data protection and privacy professionals are taking to help their companies,
employers and clients prepare for the plethora of GDPR data protection
obligations.

ADVERTISEMENT

Top 10 operational GDPR responses

There is much to do to build programs compliant with what is undoubtedly

history’s most comprehensive data protection law. With 99 Articles and more than
170 Recitals, the GDPR challenges even the most experienced data protection and
privacy professionals with its sheer size, scope and complexity. Indeed, the top
barrier to GDPR compliance according to the IAPP’s 2017 study is “complexity of the
law.”

Giving up isn’t an option, of course, so here is the list of the top 10 operational
responses identified by our experts as the best plan of attack:

1) Conduct data inventory and mapping. This is where you start and is accordingly
the subject of this first post.

2) Establish a lawful basis for data processing and cross-border transfers.

3) Build and maintain a data governance system, including establishing leadership

(where appropriate, a data protection officer, setting forth policies and training
personnel.)

4) Perform data protection impact assessments, along with data protection by

design and by default.

https://iapp.org/news/a/top-10-operational-responses-to-the-gdpr-data-inventory-and-mapping/ 2/8
31.10.24, 16:31 Top 10 operational responses to the GDPR – Part 1: Data inventory and mapping | IAPP

5) Prepare and implement data retention and record keeping policies and
systems.

6) Meet information transparency and communications obligations.

7) Configure systems and put in place processes to accommodate data subjects’

rights, including access, rectification, erasure, portability, objection to automated
processing and revocation of consent.

8) Prepare for security breach response and notification.

9) Have a sound vendor management (processor) protocol.

10) Establish systems and channels for communicating with your data protection
authority.

Data inventory and mapping

One can search the GDPR in vain for the terms “data inventory” or “mapping.” They
are simply not obliged by the plain language of the law.

But unquestionably, the first operational response to GDPR, essential to building a

program that aims to comply with the law, is a comprehensive exercise of data
mapping and inventory. The terms may have slightly different meanings depending
on whom you ask, but they involve at least the following:

Understanding the definition of personal data under the GDPR.

Determining what personal data is collected and used (“processed” in GDPR-
speak) by the organization.
Finding out where the data is stored, including what third-party systems might
house it and where, geographically, the servers are located.
Mapping where the data goes from point of collection throughout the
organization and externally to vendors or other third parties.
Determining how long the data is retained and in what formats. This includes
having a sense of whether the data are “structured” (in relational databases) or
“unstructured” (everything else, such as loosely organized systems, including
paper files or PDFs, for example).

Without conducting the inventory and mapping exercise, a data protection

professional cannot meaningfully build out a program that meets the GDPR’s many
obligations, including establishing a lawful basis for processing, providing data
subjects with transparency and meeting their other data protection rights, knowing
when and how to gather and record consent, and the like. It is quite difficult, for
example, to prepare a privacy statement or an internal privacy policy without

https://iapp.org/news/a/top-10-operational-responses-to-the-gdpr-data-inventory-and-mapping/ 3/8
31.10.24, 16:31 Top 10 operational responses to the GDPR – Part 1: Data inventory and mapping | IAPP

understanding what data is collected, how it is processed, and with whom it is

shared.

Importantly, data inventory is also the first step in complying with obligations to
keep records of processing under Article 30. This pivotal provision of GDPR
requires companies to maintain detailed records of their processing activities,
including the purposes of the processing; a description of the categories of data
subjects and of personal data; any recipients with whom personal data are shared,
including their geographic location; any cross border data transfers and risk
mitigation measures; data retention schedules; data security policies; contact
details of a European representative and DPO, where applicable; and more.

Tools and methods

The best method to conduct data inventory and mapping will depend on an
organization’s size and complexity, as well as the amount of time allotted to the
exercise and the sophistication of the participants.

Many data protection and privacy professionals, perhaps assisted by outside

counsel or consultants, begin with a questionnaire. Those with adequate time can
engage in an initial discovery exercise to unearth their organization’s general
personal data life cycles, followed by deeper-dive questionnaires and follow-up
interviews, and even workshops.

Ideally, the inventory and processes created to support it allow – eventually, at least
– the capacity to identify data location and storage information at the level of an
individual data subject: What data do I have on Jane Doe, and where is it located? If
Jane wants access to her data, how can I be sure to find it all for her?

Assigning a level of risk to distinct data categories is also important at this stage.
After all, the GDPR fundamentally takes a risk-based approach to data protection. Is
the information highly sensitive, falling within a “special category” as defined in
Article 9? This would require a company to rely on a different legal basis than for
regular processing. Would unauthorized access to data create high risks to the
rights and freedoms of the data subjects? This would trigger a DPIA or require an
individual breach notification.

For many, this information is currently tracked in home grown and adapted tools
available through standard enterprise software products. In the IAPP-EY 2017
Governance Report, 45 percent of respondents reported they conduct data
inventory and mapping informally, using manual and informal processes including
email, interviews and spreadsheets; only 32 percent reported using commercial
products developed exclusively for data inventory and mapping.

https://iapp.org/news/a/top-10-operational-responses-to-the-gdpr-data-inventory-and-mapping/ 4/8
31.10.24, 16:31 Top 10 operational responses to the GDPR – Part 1: Data inventory and mapping | IAPP

Over the past few years, a privacy technology industry has exploded in response to
the GDPR and other privacy regulatory developments. Dozens of startups have
emerged to provide solutions and tools for organizations working on data
protection regulatory compliance, accountability, and risk mitigation, as highlighted
in the IAPP’s annual Privacy Tech Vendor Report.

While less scalable than technological data mapping tools, traditional

questionnaires have the benefit of being comprehensive and can be sent to many
people within an organization, allowing for a potentially comprehensive and wide-
spread investigation. Their risks, however, include the potential for weak or
inaccurate responses, and misunderstanding on the part of those completing the
questionnaire who make assumptions and do not or cannot get clarification before
submitting their answers. The task of answering the questionnaire may be tasked
to someone with inadequate knowledge or awareness.

Privacy professionals who are in a rush, then, may not be able to use a
questionnaire followed by interviews. Instead, it may be necessary to jump directly
to in-person meetings. This may take more personnel time – and at a higher level of
management within the organization – but is likely the best way to get useful
information about data processing as quickly, accurately, and efficiently as possible
in the shortest time.

Thinking ahead

As the inventory and mapping process is conducted, data protection and privacy
professionals should be thinking not only about (a) what types or categories of
personal data are being collected, processed and stored, (b) by whom and where
they are stored, accessed and processed, but also (c) what the reasons are for the
personal data processing. Is it really necessary to have this information and why?
Article 5 of the GDPR requires that personal data be processed “lawfully and fairly”
and “collected for a specified, explicit and legitimate purpose.” Assigning such a
basis at the inventory stage expedites compliance with GDPR’s core obligations.

Indeed, record keeping under Article 30 is often conflated with inventory and
mapping, and although there is no reason they cannot overlap operationally they
are not necessarily the same thing. Article 30 does not expressly require the record
to demonstrate lawful basis for processing, and yet that is a core GDPR
requirement. Best practices counsel in favor of assigning these bases and recording
them at the inventory stage.

The next installment in this series will address the various lawful bases under
Article 6 and how operationally to select – and appreciate the consequences of –
lawful bases options.
https://iapp.org/news/a/top-10-operational-responses-to-the-gdpr-data-inventory-and-mapping/ 5/8
31.10.24, 16:31 Top 10 operational responses to the GDPR – Part 1: Data inventory and mapping | IAPP

Conclusion

Preparing for GDPR compliance requires starting with an inventory of the

organization’s personal data processing practices, from collection and use, to
storage, retention and deletion. While some technical solutions are being offered to
help with this process, many practitioners are finding that self-service is still the
norm. As long as this is the case, this process will for many organizations be labor
intensive and perhaps more time consuming than ideal, especially given the
looming May 25, 2018, GDPR-implementation deadline. Nonetheless, a careful
inventory of personal data processing practices is a crucial first step in the
operational response to the GDPR.

photo credit: Sieboldianus Animated Map of geotagged Flickr photos (Europe),

2007-2017 via photopin (license)
RELATED STORIES
Privacy community mourns the
loss of Brendon Lynch

Council of Europe's Framework

Convention on AI and its global
implications

The White House AI executive

order: A year later

CPPA to conduct data broker

registry sweep

AI accountability: Considerations
for privacy professionals

ADVERTISEMENT

https://iapp.org/news/a/top-10-operational-responses-to-the-gdpr-data-inventory-and-mapping/ 6/8