Data Inventory

A comprehensive catalog documenting what personal data an organization collects, processes, and stores, along with relevant details about each data element. A thorough data inventory identifies data categories, sources of data, processing purposes, legal bases, retention periods, storage locations, access permissions, sharing with third parties, transfer destinations, and security measures. Data inventories are foundational for privacy compliance—you can't protect data you don't know you have. Creating a data inventory involves interviewing stakeholders, reviewing systems and databases, analyzing data flows, examining contracts with vendors, and documenting findings. The inventory should be maintained as a living document, updated when processing activities change. Data inventories support multiple compliance activities including privacy notices, data subject requests, breach response, impact assessments, and demonstrating accountability. They're closely related to (or form the basis of) records of processing activities required by GDPR Article 30.