Want to watch this video? Sign up for the course here. Or enter your email below to watch one free video.

Unlock This Video Now for FREE

This video is normally available to paying customers.
You may unlock this video for FREE. Enter your email address for instant access AND to receive ongoing updates and special discounts related to this topic.

Whether you are required to formally document your processing depends on factors including the size or the organisation the volume of data and the type of data being processed.

Basically, it means documenting all of the data that you process.  It is not a formal requirement for many smaller organisations but that doesn't mean that it isn't a good idea to do it.

In our experience it was an invaluable exercise, it identified all of our processing and the data we hold and what we do with it.  Creating a data inventory helped considerably when reviewing our privacy policy as it held most of the information we needed to make sure we were complying with the privacy principles.

The data you would include in an inventory would depend on processing activities and the types of data being processed

A simple data inventory may include:

  • Where the data is collected from (e.g.individual, employer)
  • The category of the data subject (e.g. employee, customer, potential customer, supplier)
  • The type of personal data being processed (e.g.contact information, financial record)
  • The purpose of processing (e.g.to supply goods, payroll, marketing)
  • Your lawful basis for processing (e.g. contract, consent, legitimate interest)
  • Whether the data is special category/sensitive personal data
  • The volume of that data being processed
  • Retention period  
  • Third party who may receive that data
  • Appropriate safeguards in place for transfer of data
  • Rights available to individuals (e.g. access and rectification or access data portability and rectification or right to erasure)

An example is available to download from your home page.