6 October 2023

Data Processing Inventories: Part 4 — The benefits and risks of using privacy tools

Alistair Macleod

In the previous entry in this series, we looked at a practical process that you can follow to build your organisation’s Data Processing Inventory (DPI).

In this part, we will consider some of the ways that you can use tooling to help you assemble and maintain a DPI. We will also look at some of the available tools on the market.

Your organisation has decided to compile a DPI. You’ve identified the relevant stakeholders, set the scope, and made a project plan. Now the real work begins.

At this point, it can be tempting to look for a technology solution that can do all the heavy lifting for you. Used thoughtfully, privacy and data management tools can help to greatly simplify your workflows, avoid tedious and error-prone manual data entry, and provide valuable insights into your DPI.

However, we caution against relying on technology as a “plug and play” solution that can solve all the challenges associated with preparing a DPI. Documentation around how processes work may not be complete or accurate (maybe a system isn’t used the way it was intended, or a team might rely on the knowledge of someone who has been around the longest). Often the only way to get the complete picture is by consulting with the people in your organisation in order to understand how they work together. A technology solution is likely to overlook all of that valuable information about human interactions.

What a technology solution can do is help with the information gathering and validation components of the larger process. So, let’s consider some of the types of tools that can help with assembling and maintaining a DPI, and to use them to their best effect.

What types of tools are out there?

We’ll consider two types of privacy technology that can assist with preparing and maintaining a DPI:

  • Data mapping tools
    Data mapping tools can greatly streamline the process of collecting and organising information for your DPI. They can help you to communicate more easily with your stakeholders, ensure that data is recorded in a consistent format, identify gaps in your records and risks associated with your processes, and keep your DPI up to date by linking to privacy impact assessments and other risk activities.
  • Data scanning/discovery tools
    Data scanning and discovery tools can help an organisation better understand the volume and contents of large datasets which are too large for an accurate human review. They can help to quickly identify changes to the volume and contents of catalogued data assets, ensuring that changes to data processing activities do not go unnoticed.

Data mapping

Data mapping tools help you to better understand how data moves around within an organisation. Generally, they require you to start by identifying your organisation’s key data repositories, which can be done via manual data entry or by sending questionnaires to stakeholders. Once you have identified your key data repositories, a data mapping tool can assist you in the process of documenting how the data in each is collected, used, disclosed and otherwise processed.

Data mapping tools will typically generate visualisations that show the flow of data between repositories and business systems.

Some popular data mapping tools include:

A quick note about business process mapping

Business process mapping (or modelling) is a related-but-separate practice to data mapping which involves understanding and documenting how a business operates. A business process map describes a business in varying levels of detail, from a high-level view of the ways that business functions are organised, down to the specific practices that individuals carry out as part of their jobs.

Business process mapping is a broader and deeper activity than data mapping, in that it involves looking beyond the data that a business processes, into the more detailed steps that are taken when carrying out business activities.

Business process mapping can be very time consuming and resource intensive. Data mapping is more focussed, can be completed more quickly, and can be used as a starting point for a broader business mapping project.

We think that there are benefits in borrowing concepts from each practice to design an outcome that best meet an organisation’s requirements – and we have adopted many of the concepts related to business process mapping in our DPI methodology.

Data scanning/discovery

Data scanning and discovery tools can be deployed to automatically scan for and catalogue data.

In our experience, data scanning and discovery tools are best deployed after preliminary data mapping activities have been completed. Among other things, they can help to:

  • validate your DPI by confirming that the data in a repository matches your expectations
  • alert you to undocumented repositories of personal information, or if the volumes or types of personal information in a repository change unexpectedly
  • derive insights about the personal information you hold which can help to reduce risk (such as redundant or rarely used fields)
  • identify affected individuals in the case of a data breach.

However, because scanning tools are data-oriented, relying on them to assemble your DPI means that you will likely miss the benefits associated with adopting a process-oriented approach.

Some popular data scanning and discovery tools include:

Closing thoughts

The action of identifying key processes and repositories, and the roles and people that use them, is an important part of the DPI process. Ultimately, the quality of a DPI will depend on how accurately it captures your organisation’s business processes – processes which are often carried out by your staff members, and which involve steps which can’t be detected easily (or at all) by automated tools. The relationships you build in manually identifying these processes will also support you in keeping the resulting DPI up to date.

In the next (and final) post in this series, we will consider how to make sure you continue to get as much value as possible out of your completed DPI.

If you’re interested in learning more about how to undertake a data processing inventory, contact us at hello@elevenM.com.au or on 1300 003 922.

Note: this isn’t a comprehensive listing of all the available tools that can help you with a DPI – there are far too many to cover here – and it is not an endorsement of any specific tool. We are proud to have a commercial partnership with Securiti but we work with all tools and always work to ensure that clients select the right tool for their requirements. The IAPP Privacy Tech Vendor Report is a good place to learn more about the wide array of privacy tools available on the market.

Read all the blogs in this series: