For the long time the protection of personal data did not receive quite as much attention from the legislators. This changed with the European Union General Data Protection (GDPR) coming in force on May 25th, 2018. The main aims of the GDPR is to unify data protection legislation across European Union, give people more control over data about them and increase fines for the companies misusing personal data.
GDPR introduces principles of fairness, transparency, accountability and storage limitations when dealing with personal data and in art. 30 requires data processors to keep records of processing activities to follow these principles. Data processors are obliged to know information such as what type of personal data is collected, how and where is the data collected and processed, is the personal data being stored, protected and deleted. Data mapping and creating a data inventory are the essential steps towards the compliance.
According to the GDPR people have right to query data processors about the data they hold about them. People have right to ask what data a processor holds about them, for what purpose and what is done to the data. They also have a right to rectify and erase data. Data processor is obliged to reply within 30 days of the request being made to comply with the regulation. To provide an answer in such a short time, the data processor has to have an overview which and where the personal data is held. The data processor also needs to know the legal base of processing to determine whether they need to delete data upon request as there are types of personal data that needs to be retained for certain time periods to fulfil a legal requirement, example being employment contracts. Data inventory provides single point of reference record where personal data is held and with what lawful basis.
Knowing the legal base of data processing not only helps to know how to reply to data subjects queries but also helps to determine the required data retention periods. For example, in Estonia the employee contracts need to be saved for the duration of the contract and for the 10 years after termination of the employment contract.
Data inventory can be used more extensively than to just comply with the GDPR. For example if a company forwards a lot of data to the third parties or vice versa buys in a lot of data from the third parties, it would be essential to have an overview of what type of contract, who was involved and when was it signed.
Data mapping and creating an inventory might seem as an overly bureaucratic and burdensome activity but it really is just a good data housekeeping practice to manage companies’ valuable data assets. It shouldn’t be created just to comply with the GDPR it should be an essential data management tool for any company.
