Creating your Data Inventory in TrustWorks
Table of contents
- Introduction
- Creating your data inventory
- Getting started with your Data Inventory
- Run assessments on your data repositories
- Data repositories in processing activities
- Conclusion
Introduction
The Data Inventory, also called a data map, helps you to know where personal data is used in your organisation, how it’s shared and organised, and where it’s physically located. The data map also helps you identify risks that could potentially impact compliance and reputation. And if you run into problems, it seems that penalties are less severe if you have an organised data inventory. It also helps you to more easily comply with Article 30 of the GDPR regarding Record of Processing Activities (RoPA).
Creating your data inventory
The first step in creating your data map is to list all the places where personal data is processed in your organisation for different business tasks and processes. This can be third-party vendors and your organisation’s own apps and tools.
Creating this list will give you an overview of where data processing takes place, the categories of individuals whose data is being processed, the data categories, and the risk level.
There are different approaches to creating your data inventory. We’ll go through them here.
You can create the data repositories manually, by clicking: +New
Here you need to fill in, as a minimum, the mandatory fields:
- Type: Here you can choose from the extensive list of data repositories we already have in our back office. If it’s not there, or it’s your company’s native platform or app, you can add it as ‘Custom’.
- Name: Give the data repository the name you want.
- Status:
- Draft:
- The draft status is when the repository is being created or set up but isn't fully operational or validated. Typically, it's in the initial planning or configuration stage.
- In Review:
- The repository is under evaluation for its compliance, accuracy, or relevance. This may require input from stakeholders, legal, or IT teams before it becomes active.
- Active:
- The repository is in regular use and part of the operational workflow. It is maintained and considered up-to-date.
- Inactive:
- The repository exists but is not currently in use. It may be kept for reference, historical purposes, or potential future activation.
- Exempt:
- The repository is not subject to certain rules, regulations, or validation processes that apply to other repositories.
- This could mean it does not store regulated data, doesn't impact compliance efforts, or falls outside the scope of your company's data management framework.
- Exempt status might also arise from decisions by data governance committees.
- Archived:
- The repository is no longer active and has been formally stored for long-term retention. This is typically used for historical data or information no longer needed but retained for legal or business reasons.
- Draft:
- Authorisation Status: Unknown, Authorized, Unauthorized.
- Owner: The owner can be either a user or a team that’s been created in the setting of your organisation.
Additional fields and options:
- Description: Here you can add a description of what this tool is used for. The more detailed the description, the better.
- Legal Entity: This can be either the legal entity of the company or the vendor.
- Internal: Here you can toggle if the data inventory is an internal tool.
Data Mapping:
- Categories of Individuals: Here you can add the categories of individuals whose data is being processed in the data repository. These categories come from the Settings menu > Data practices > Category of individuals. There are some default categories, and you can add more.
- Categories of Personal data: Here you can add the categories of personal data that are being processed in the data repository. These categories come from the Settings menu > Data practices > Data categories.
Actions: Here you can toggle if the data mapping is verified.
Risk Management:
- + Add Risk
Assessments: Here you will see the assessments associated with the data repository.
Processing Activities: Here you will see the Processing Activities that this data repository is involved in.
Additional Information:
- Documents
- Terms of Service (URL)
- Privacy Policy (URL)
- Privacy Policy (URL)
- List of Subprocessors (URL)
- Processing Locations
- Processing Locations
- Source of Information / Comments
- Custom Fields: Here the Custom Fields related to Data Repositories will show. You can use the custom fields to have consistent data, for example, if there’s some specific information you need on all the data repositories. You can read about Custom Fields here.
In the ‘Custom’ data repository type you can add ‘Code repositories’. You can add as many as you want, so you can manage all the code repositories for the same data repository if necessary.
Getting started with your Data Inventory
If your organisation uses Single Sign-on (SSO), for example Okta or Microsoft Entra, you can automate part of the process by integrating with your SSO system and that way retrieve a list of all the tools connected with the SSO. Integrating with an SSO system that detects all the data repositories used in the organisation will also help you detect shadow IT; tools that employees use that haven’t been through the procurement process. The scan for new data repositories is run daily.
The data repositories detected through the SSO integration will be placed in the Staging Area of the Data Inventory. From there, you can assign an owner to the data repository, and import it to your data inventory or discard it.
There is already an extensive list of data repositories to choose from, but if it’s not there, or it’s your company’s own platform or app, you can add it as ‘Custom’.
Note: If you already have a list of all the tools, we can import it for you.
Run assessments on your data repositories
You can run assessments on the data repositories, to verify what the tool is used for, for example. This is done through a survey you can set up in the platform. See more about assessments here.
Data repositories in processing activities
In the Data Map of the processing activities, you can link the data repository/ies that are used for the activity, as part of your RoPA.
Conclusion
Keeping a register of all the places where data is stored and processed in your organisation is an important first step to being compliant with privacy regulations. With the Data Inventory in TrustWorks, you can create an overview that will help you detect risks.