14 August 2023

Data processing inventories: Part 2 — Understanding and documenting your business to manage privacy risk

Cassie Findlay
Principal

In this second part of our short series on data processing inventories, elevenM’s Cassie Findlay takes a look at the benefits of a process-oriented approach.

As we described in our last post, flying blind when it comes to the ‘what’ and ‘why’ of the personal information your organisation is collecting is a risky proposition. But so too is a lack of understanding across the many other ways you are handling that information: once collected, is the information being used for a purpose that is unrelated to the reason for its collection? Why? Is this personal information needed for our core business? Which third parties are we disclosing the information to?

There is something that connects questions like these; and it isn’t the name of a system or a vendor — it is that these are all questions about what the organisation is doing.  

As an archivist and recordkeeping professional my training and experience means that I view the world of information through the lens of business activity. Records — in all their forms, from documents to data — are regarded as records not because of their form, but because they are evidence of actions that have occurred. They are contextually specific, and they rely on the interplay of people, systems and organisational entities. This view of the world forms the foundational elements of elevenM’s approach to describing the business of our clients in what we call data processing inventories (DPIs).

One of the key advantages of this approach is that a DPI presents a detailed picture that marries the stable features of the business (functions, activities, processes) with the more variable features (systems, vendors, teams). In this way it can serve as a future-proofed resource for managing privacy risk. By taking a business-centric view, it is easier to link information in systems to the applicable retention rules, which are typically described according to functions and activities. Attributes that are unique to the organisation can be included to help achieve related goals, such as the identification of business-critical processes for business continuity planning.   

Our approach has a number of benefits:

  • Starting with a ‘top down’ look at the organisation’s functions ensures comprehensive coverage of all aspects of the business you do, which a systems-oriented approach can fail to achieve.
  • Processes, once described, can be grouped by their attributes to provide insights that help answer many privacy-related questions, ranging from ‘how much sensitive personal information are we collecting, and why?’, to ‘what retention rules should we apply to personal information collected and kept in these systems?’.
  • The hard work of building the first inventory will pay off over time because changing systems and vendors can be routinely added or subtracted from the stable picture of processes that has been constructed.

As we have flagged already in this series, the high-profile breaches of the last 12 months, and the coming reforms to the Privacy Act, make it imperative that organisations understand how and why they handle personal information. A process-oriented inventory will serve as a key resource for navigating reforms, because specific types of business, data, people and purposes can be examined and adjusted to meet emerging requirements. As a jurisdictionally-agnostic tool, a DPI can serve the needs of privacy programs in all sectors (and of a privacy program that operates across multiple sectors).

By taking stock and establishing a robust view of your information in its business context now, you can identify and address immediate risks today, while laying the groundwork for managing your privacy program into the future. 

While the need is clear, actually creating this type of inventory can seem like a daunting task, especially when you operate in a complex environment. In our next post in this series we will break down some of the elements of how to build a DPI.

Read all the blogs in this series:

Contact us

If you’re interested in learning more about how to implement data controls, contact us at hello@elevenM.com.au or on 1300 003 922.