Creating your Asset Inventory in TrustWorks

The Asset Inventory helps you track where personal data is used within your organisation, how it is shared and organised, and where it is physically located. This data map also helps identify risks that could impact compliance and reputation. Moreover, having a well-organised asset inventory can mitigate penalties in case of regulatory issues. It also facilitates compliance with Article 30 of the GDPR regarding the Record of Processing Activities (RoPA).

Creating your Asset inventory

The first step in building your data map is to identify all locations where personal data is processed in your organisation as part of various business tasks and processes. This includes both third-party vendors and internal applications and tools.

By creating this inventory, you gain an overview of:

• Where data processing occurs
• The categories of individuals whose data is processed
• The types of personal data involved
• The associated risk levels

There are different ways to create your asset inventory, which we will cover below.

Adding Assets Manually

You can manually add assets by clicking +New and filling in the mandatory fields:

• Classification: Choose from the following options: Application, Webform, Database, Backup Storage, Application Logs, Server/Infrastructure, Physical Document, Service, Cloud Storage, API/Web Service, Device, File/Document.
• Provider: Indicate whether the asset is Internal or Third-party.
• Type: Select from an extensive list of predefined asset types. If the asset is not listed, or if it is a proprietary company platform or application, you can add it as ‘Custom’.

• Name: Assign a name to the asset.

  Status: Define the current status of the asset:

  • Draft: The asset is in the initial planning or configuration stage and is not yet operational.
  • In Review: The asset is under evaluation for compliance, accuracy, or relevance, potentially requiring input from stakeholders, legal, or IT teams.
  • Active: The asset is in regular use and part of operational workflows.
  • Inactive: The asset exists but is not currently in use and may be retained for reference or future activation.
  • Exempt: The asset is not subject to certain regulatory or validation requirements.
  • Archived: The asset is no longer active but is retained for historical or legal reasons.
• Authorisation Status: Set as Unknown, Authorised, or Unauthorised.
• Owner: Assign an owner, which can be an individual user or a team within your organisation.

Additional Fields and Options

• Description: Provide a detailed explanation of the asset’s purpose.
• Legal Entity: Specify whether the asset belongs to the company or a vendor.

Data Mapping: 

• Categories of Individuals: Define the categories of individuals whose data is processed. These categories can be found under Settings menu > Data practices > Category of individuals, where default categories exist and additional ones can be added. 
• Categories of Personal data: Specify the types of personal data processed, available under Settings menu > Data practices > Data categories. 

• Actions: Enable or disable data mapping verification.

  
  

Risk Management:

• + Add Risk: Assess risks associated with the asset.
• Assessments: View assessments linked to the asset.
• Processing Activities: See which processing activities the asset is involved in.

Additional Information:

• Documents
  • Terms of Service (URL)
  • Privacy Policy (URL)
  • Privacy Policy (URL)
  • List of Subprocessors (URL)
• Processing Locations
  • Processing Locations
  • Source of Information / Comments
• Custom Fields: Use custom fields to ensure consistent data entry, particularly for organisation-specific information. Learn more about Custom Fields here.

By default, all assets that are not classified as “Applications” are marked as Custom. You can also classify Code Repositories and internal applications as Custom.

Getting started with your Asset Inventory

If your organisation uses Single Sign-On (SSO) (e.g., Okta or Microsoft Entra), you can automate part of the asset inventory process by integrating with your SSO system. This integration retrieves a list of all connected tools and helps identify shadow IT—applications that employees use without going through procurement.

The SSO integration scans for new assets daily. Detected assets are placed in the Staging Area of the Asset Inventory, where you can assign an owner, import them, or discard them.

If your required asset type is missing, you can add it as ‘Custom’. Additionally, if you already have a list of assets, we can import it for you.

Running Assessments on Assets

You can run assessments to verify an asset’s function and compliance. This is done via surveys set up on the platform. Learn more about Assessments here.

Assets in processing activities

In the Data Mapping section of Processing Activities, you can link assets used for data storage and processing, helping maintain an up-to-date Record of Processing Activities (RoPA) and building data flows.

Conclusion

Maintaining a structured inventory of all data-processing assets is a critical step in compliance with privacy regulations. The Asset Inventory in TrustWorks helps you create a comprehensive data map, identify risks, and improve data governance.