In this final part of our series on Data Processing Inventories, elevenM’s Laura McVey looks at making the most of your Data Processing Inventory (DPI).
As previously discussed, the purpose of data processing inventories is for organisations to understand and articulate what personal information is collected, used and disclosed, and for what purpose. So, once you have a DPI, what does that mean? How can it be optimised within the organisation? What are you using it for, and what could you be using it for? Answering those questions really depends on what your organisation’s objectives are, but a DPI can be used for:
- Identifying collection processes in a given area of business in order to run an audit of collection notices and their suitability. This can then be used to prioritise which collection notices need to be updated first.
- Capturing system of record and retention rules per process, to work on the implementation of retention rules. The organisation can then use this to determine what information is being retained that can be deleted or put in strategies for information that needs to be retained for an extended period.
- Looking at external disclosures of personal information to conduct a review of the applicable contractual terms to check they are adequate. If any contractual terms need to then be updated, this can be actioned.
- Reviewing the types of information collected and ensuring it is appropriate and required for the process. This is key in avoiding holding personal information which should not have been collected in the first place.
- Preparing for the reforms to the Privacy Act. The coming reforms to the Privacy Act are likely to mean organisations need to pay more attention to the ‘how’ and ‘why’ questions about their handling of personal information.
- The reforms may also mean changes to the definition of personal information, to include information such as technical identifiers. A DPI can track where and why this type of information is collected and used.
Once you understand how to use your DPI, the next question is how to maintain it. This can be done either on an ad hoc basis by updating it when processes change (which is likely to rely on the owners of the processes to keep you informed), or periodically, for example by completing a “big bang” review with relevant stakeholders to discuss whether any processes have changed and confirm everything still remains accurate. Our advice would be to do a systematic review and update to a schedule (such as yearly), while also encouraging your organisation’s business areas to let you know if something substantial changes with their processing. The reason for this is two-fold – doing it systematically is more accurate and complete, plus it can assist with the cultural change you need to get people proactively contacting you with updates.
Read all the blogs in this series:
- Part 1 — Why are you collecting it in the first place?
- Part 2 — Understanding and documenting your business to manage privacy risk
- Part 3 — A practical approach
- Part 4 — The benefits and risks of using privacy tools
If you’re interested in learning more about how to design and maintain a data processing inventory, contact us at hello@elevenM.com.au or on 1300 003 922.