6 May 2024

Using a data processing inventory to get law reform ready

elevenM

A data processing inventory can help your business prepare for both regulatory and process change. Here we outline some key areas that a data processing inventory can help you with to get privacy law reform ready.

This blog includes a free interactive guide.

As we all prepare to act on privacy law reform, one thing that is abundantly clear is that organisations will need a comprehensive understanding of what personal information they collect and hold, how they use and share it, how long they keep it and when they plan to delete it. Not only this, but they may need to understand all of these issues in relation to information that they didn’t previously handle as personal information, or be able to report on types of handling that previously flew under the radar.

This need for greater understanding of personal information processes doesn’t relate to just one area of reform, it is integrated throughout, in areas relating to collection, consent, retention and deletion, access, and definitions, to name just a few.

Based on our experience, the best way to improve the maturity of privacy in your organisation, identify areas needing uplift or respond to change, is to start by understanding what you have and why. To this end, we recommend that undertaking a data processing inventory will enable you to start implementing law reform, even if you don’t yet know what processes you need to change.

What is a data processing inventory?

A data processing inventory (DPI) is effectively a database of organisational processes that use or otherwise engage with personal information. Creating one involves looking at all the processes in your organisation, talking to process owners throughout the business, and assessing all the points at which personal information is collected, used or disclosed.

The reason we are so quick to recommend a DPI is that they offer a structured view of business processes, types of information handled, individuals that processes relate to and more.

A DPI presents a detailed picture that combines the stable features of the business (functions, activities, processes) with the more variable features (systems, vendors, teams). By taking a business-centric view, it is easier to link information in systems to the applicable retention rules, which are typically described according to functions and activities. Attributes that are unique to the organisation can be included to help achieve related goals, such as the identification of business-critical processes for business continuity planning.  

Information in a DPI is organised in a way that allows for a range of different views of the personal information you hold.

Another advantage of a DPI is that they can be created by a business at any level of privacy maturity.

How will a data processing inventory help me implement change?

Your DPI is a future-proofed resource for managing privacy risk and reform. This is because specific types of business, data, people and purposes can be examined and adjusted to meet changes in regulatory requirements.

The process-based approach also has the advantage of being jurisdictionally-agnostic — you are mapping everything your business does, not checking off specific compliance requirements. That means that you can use it to assess, record or assure processes, whether that is for a regulatory change, expansion into a new jurisdiction, or simply a change in business approach or risk-appetite.

A DPI can help you get your house in order ahead of the reforms in many ways, including (but not limited to):

  • Ensuring that the over-retention of personal information is addressed, in particular higher risk types of personal information such as proof of identity documentation. A DPI enables you to zero in on where this information is held and why, and take steps to dispose of it where is it appropriate to do so.
  • Understanding you might be collecting or using technical identifiers, the kind that are likely to be covered by the updated definition of personal information.  
  • Improving understanding of personal information flows and storage in the organisation, to enable deletion requests and transparency requirements.

Five steps to undertaking a data processing inventory

While there are different ways to develop a DPI, we have refined a methodology which has delivered consistently high-quality outcomes across a range of organisations and business sectors. This is a five-step process that is a systematic approach to identifying and documenting processes in your organisation.

  1. Consultation and planning
  2. Information gathering
  3. Analysis and drafting
  4. Feedback and review
  5. Delivery

We have developed a free interactive guide that walks you through these five steps to undertaking a DPI. (You may download a PDF version, but we encourage you to use the interactive version first).

More information

For more information about undertaking a data processing inventory, read our five-part blog series on data processing inventories, or to talk to us about implementing data governance processes in your organisations, contact us at hello@elevenM.com.au or on 1300 003 922.