Do you really need a data inventory?
Whenever I talk to clients about setting up a Data Privacy Compliance Program for their companies, I always tell them that the best way to start is with a data inventory and data mapping.
No, the data inventory and data map are not requirements of the National Privacy Commission (NPC). And you would not find the terms anywhere in the issuances of the NPC thus far. Hmm. So if it’s not a requirement, why do you need to do it?
Before going into the rationale for these, let me explain the concept first: A data inventory is a record of all personal data and associated information an organization has. This is usually in the form of a spreadsheet or database. A data map, on the other hand, is a summary of the inventory; a flowguide or visual of the personal data lifecycle in an organization.
Coming up with a data inventory (and later, a data map) can be a daunting task, especially if the organization is starting its Data Privacy Compliance Program from scratch. This will involve determining what type of personal data is being processed by the organization and what the lifecycle is for these data. The challenge is not to get bogged down in the effort and yet keep the organization’s focus on having a complete and accurate data inventory. Given the amount of initial work required, you may have second thoughts about actually doing an inventory. Why not dive directly into ticking the boxes of the NPC’s requirements instead?
Yes, you can shortcut the process but I strongly recommend that you do a data inventory nevertheless. Believe me, you will thank me later.
So why do the data inventory? Let me give you some reasons:
A data inventory would be a good starting point for coming up with a Privacy Policy. By doing a data inventry and coming up with a data map afterwards, you get a bird’s eye-view of the personal data processing being done by the organization. This, in turn, ensures that you are able to cover all of the personal data processing that you do in your Privacy Policy.
A data inventory would be very helpful in case of a data breach or information security incident as you would be able to quickly determine what type of personal data is involved, as well as the stakeholders to whom information on the data breach need to be communicated. Remember that Section 38 of the Data Privacy Act Implementing Rules and Regulations mandates data breach notification to the NPC and the affected data subjects within 72 hours from discovery of a personal data breach requiring notification. (Refer to Section 38 for the instances when a 72-hour period for notification is required.)
A data inventory will also be invaluable when a data subject exercises his/her right to access against an organization. Without a data inventory, an organization would find it costly and time-consuming to come up with the following information: what personal data is being processed, sources of the personal data, reicpients of the personal data and reasons for the disclosure, manner of processing, and date when personal data was last modified or accessed.
A data inventory will also make the conduct of a privacy impact assessment easier as you will not need to drill down on the personal data lifecycle each time that the organization implements a new personal data processing project.
Finally, a data inventory would save the organization from having to escalate most personal data processing decisions to management. With a data inventory and data map in place, organizations can come up with standard operating procedure for certain activities. This will enable the organization to delegate a lot of the decision-making to the units and reserve escalation to management for cases requiring special handling.
Want to know more about doing a data inventory? This article may help.