In the previous entries in this series, we looked at some of the key questions that your organisation should ask itself when collecting personal information, and the benefits of adopting a process-oriented approach when creating an inventory of the personal information your organisation holds (which we call data processing inventories or DPI).
In this part, we will look at a practical process that you can follow to build your organisation’s DPI.
Once you have made the decision to document the personal information that your organisation collects and holds, you will need to determine how you are going to go about this task. Creating a DPI isn’t always an easy process but, if done well, a DPI can become an invaluable resource for your organisation. In fact, even the process of creating a DPI can be a valuable exercise in itself — not only for the outcome it produces, but for the education, awareness and new connections between staff delivered along the way.
While there are different ways to develop a DPI, we have refined a methodology which has delivered consistently high-quality outcomes across a range of organisations and business sectors.
5 steps to your DPI
In our experience, preparing a DPI usually involves the following steps:
Consultation and planning
In this step, you speak with your organisation’s key stakeholders, form a picture of your organisation’s functions and activities, determine the structure and details to be included in your DPI, and plan who will be involved in the subsequent steps of the process.
In this step, you consult extensively with the stakeholders you previously identified, and you document your organisation’s business processes. This can be a lengthy process and there are different ways you can go about collecting and compiling the information you need. You may find that you uncover new business processes as you go, so your scheduling for this step should be flexible.
Callout: What information do you need to create a DPI?
Here is a sample of some of the common fields that we suggest including in a DPI:
- Process name
- Process description
- Related business function
- Process owner
- Types of personal information processed
- Types of individuals whose personal information is processed
- Type of processing (e.g. collection, use, disclosure, storage, disposal)
- Volume of personal information processed
There are many other details that you may want to capture in your organisation’s DPI, depending on your specific requirements and the nature of your organisation’s functions and activities.
Analysis and drafting
In this step, you review the information you have collected, organise and analyse it (this may include identifying business processes that you need to consult further on), before compiling the information into the DPI itself. You may also want to document any additional findings in a separate location and provide an accompanying report setting out the highlights of the DPI.
Feedback and review
Having collected so much information about your organisation’s business processes, it is important that you verify your observations. In this step, you consult with key stakeholders and ensure that your DPI, and any associated findings, are an accurate reflection of how your organisation really operates. A word of caution: compiling feedback from a large number of stakeholders can be risky and time-consuming — you may be overwhelmed with feedback and invite analysis paralysis. You may want to be selective in how you elicit feedback — in our view, it’s better to have a DPI which is substantially correct and constantly improving, than it is to have one which never made it out of the review process because it got stuck in a feedback loop.
Delivering a DPI doesn’t mean just marking it “final” and calling it a day — you will need to ensure that your stakeholders understand the purposes of the inventory and that any findings will be acted upon.
Well done, you’ve created a DPI. Time to relax and put your feet up… for a little while. A DPI should not be an historic artefact — rather, it is a living document which should constantly evolve to reflect your organisation’s current business practices. A DPI needs an owner and supporting processes to make sure that it stays relevant and up to date. There are numerous benefits to keeping your organisation’s DPI up-to-date, and we will look at some of the many ongoing uses for a DPI later in this blog series.
In the next post, we will look at some of the tools and technologies that can help you to create and maintain your organisation’s DPI over time.
Read all the blogs in this series:
- Part 1 — Why are you collecting it in the first place?
- Part 2 — Understanding and documenting your business to manage privacy risk
- Part 4 — The benefits and risks of using privacy tools
- Part 5 — Making the most of yours
If you’re interested in learning more about how to implement data controls, contact us at hello@elevenM.com.au or on 1300 003 922.