These additional resources and examples will help you fill out the Data Inventory Template. The numbers below refer to the columns in the template. 0) Header
1) Personal data we process
- Data Controller: Fill in the name and contact details of your business. If you have a Data Protection Officer, fill in his or her details too.
You only need a Data Protection Officer if you process personal data on a large scale. See this guidance by the EU Commission for more information.
- EU representative: Fill in the name and contact details of your EU representative.
As a general rule, if the GDPR applies to your business even though your business is based outside the EU (i.e. in Switzerland), you need to appoint an EU representative. There is an exception to that rule for businesses with occasional and low-risk processing activities. Unfortunately, there isn't a really any guidance yet as to what exactly that means. I will keep you posted about any future developments.
This first column isn't a mandatory part of the inventory. I added it for convenience. It allows you to organize the personal data you process into groupings that make sense for your business. In my experience, it's usually helpful to group the data either by data subject and source (e.g. user data from sign-up form, automatically collected user data, etc.), or by data subject and storage location (e.g. hard copy customer files, electronically stored customer information, etc.).
Here are some pointers by the EU Commission to help you find out what data and what activities are covered by the GDPR: 2) Where does the data come from?
List how you collected the data (where you have it from).
Examples: directly from the data subject (sign-up form, user activity/posts, through email, etc.), from a third party, through an analytics tool 3) Whose data is it?
Write down the category of data subjects whose data you are processing.
Examples: customers, users, business partners, prospects, website visitors, employees 4) What kind of data is it?
Describe what kind of personal data you are processing.
Examples: contact information, medical records, employee files, financial information 5) Is it sensitive data?
Make a note of any sensitive data you process. This is important because the data protection rules for processing sensitive data are stricter than the general rules. Guidance by the EU Commission (more info and examples) 6) Why do we process this data (purpose)?
Describe the reasons why you process the data.
Examples: providing customers with the goods or services they bought, marketing, legal requirements (e.g. employer obligations), analytics 7) What is our lawful ground for processing?
This is one of the most crucial parts. Under the GDPR, processing personal data is only legal if one of its "lawful grounds for processing" applies. That means you need a lawful ground for processing for every one of your processing activities.
The most important lawful grounds for processing are:
Guidance by the EU Commission (more info and examples) 8) Where do we process/store this data?
- Legitimate interest
- Legal obligations
Indicate where you process and store the data. This can be an electronic system or a hard copy filing system.
Examples: your own server, cloud storage, hard copy filing cabinet, a third-party service provider's server 9) How long do we keep this data (retention period)?
If you set a retention period for the data, write it down here. Guidance by the EU Commission (more info) 10) What are the security measures we put in place to protect this data?
List the organizational and technical data security measures you put in place. Guidance by the EU Commission (more info)
Examples: pseudonymization, encryption, access restrictions 11) Does processing this data involve a transfer to a third party? If yes, who is it and where are they?
Write down who you share the data with.
Examples: subcontractors, freelancers, cloud services, hosting providers, email marketing services, IT support services 12) If we transfer to a processor, is a data processor agreement in place?
If a third party processes personal data on your behalf, you need to put a processor agreement in place. Ask your processor if they have one – if their core business is processing other people's data and they take the GDPR seriously, they usually do. Guidance by the EU Commission (more info) Guidance by the EU Commission on the difference between controllers and processors 13) Is this transfer an international transfer out of Switzerland? If yes, is it compliant with Swiss data protection laws?
A transfer out of Switzerland is compliant with Swiss law if: 14) Is this transfer an international transfer out of the EEA? If yes, is it compliant with the GDPR?
A transfer to a country outside the European Economic Area (EEA)
is compliant with the GDPR if: Guidance by the EU Commission (more info) 15) Measures to be taken
List any measures you need to take to become compliant.