Do you have to make a data inventory under GDPR?

Do you have to make a data inventory under GDPR?

Yes. But not a traditional data inventory.

A traditional data inventory is a record of the data assets that an organisation handles and can cover both personal data or general data (accounting, statistical data, network data, etc). General data inventories are typically driven out of the IT, security, or governance department through manual or automated tools and include details on the network and infrastructure. These records often do not contain details on personal data elements or personal data processing activities.

GDPR requires a processing data inventory, called “records of process activities” as stipulated in article 30 of the GDPR. You are required to maintain a record of all your organisation’s processing activities internally, and to make them available to supervisory authorities upon request. In general, these records should contain:

(a) the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer ;
(b) the purposes and legal grounds of the processing;
(c) a description of the categories of data subjects and of the categories of personal data;
(d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
(e) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
(f) where possible, the envisaged time limits for erasure of the different categories of data;
(g) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

The requirements in Article 30 makes sense. Logically, until an organisation truly understands what personal data they have, where it is located, and how it moves through and out of the organisation, it is not possible to protect it nor is it possible to fully comply with the GDPR.

Am I required to use a tool to make the inventory?

No, GDPR does not specify how the processing data inventory should be performed and updated. This means that the work can be performed and documented manually. A manual handling of the inventory however risk to be very time consuming, and there are some challenges that must be addressed:

  • How should work be distributed in the organization to the persons understanding the purpose of a specific piece of information?
  • How should delegated work be controlled over time to ensure its being performed?
  • How should internal training be performed so the tasks can be performed with sufficient quality?
  • How should documentation be made to secure a common standard?
  • How should the documentation be made to handle personal information that is moved. File location will not be a strong enough identifier.
  • How should the data sources be monitored to ensure that the records of process activities stays updated?

Am I required to gather other data than described in article 30?

No, GDPR does not require an organization to gather other data than described in article 30.

However, articles 15-23 in GDPR describes the rights of the data subject.

Individuals now have the right to access the personal data that an organisation is processing about them. As well as the following information:

  • The purpose of the processing of that data
  • The source of the data
  • Where and for how long the data is being processed
  • Who the data is being disclosed to
  • Whether (and the extent to which) that data is being used for automated decision making

Under GDPR, these rights should be fulfilled within a month from the request, be delivered in a digital format, and be free of cost for the data subject.

Subjects also has the right to rectification, to be forgotten, demand restrictions of processing, to object and to data portability.

If the processing data inventory risks to take a lot of resources, data subject requests becomes a nightmare if the inventory does not also contain information on the specific location of a certain personal data.

Personal data is all information in combination that can be used to identify a living individual, and GDPR requires the data processer to know what personal data they are handling. This practically means that a subject access request for a social security number, that leads to a document also containing an email address, must render a new search for that email address, which might lead to an email that contains a phone number. That will render the need to search for also that phone number and so on. Finding all relevant data sources, documents and emails containing the subjects all and any personal data will demand a lot of resources for each request, especially since answer must be given within one month.

On top of that, if the data subject request also contains a request for all database records, files and emails, these must be masked from all other individuals personal data before being delivered to the requesting data subject. Not doing so is considered a breach of GDPR.

In order to make data subject requests more efficient it is therefore strongly recommended that the processing data inventory also contains documentation of the specific personal data, and where it is located in the document. However, such a high granularity of documentation makes a manual inventory even more time consuming.

What Aigine does.

Aigine Inventory Engine makes the creation of the processing data inventory more efficient, by providing a semi-automated digital process, where human and machine interact to ensure efficiency and quality of the outcome.

This is achieved by addressing the problems with manual handling.

  • How should work be distributed in the organization to the persons understanding the purpose of a specific piece of information?

Aigine contains a workflow engine that delegates the work via email and personal task lists.

  • How should delegated work be controlled over time to ensure its being performed?

Aigines workflow engine shows status and progress. We also provide users with an intuitive webbased user interface, making the actual task easier and more pleasant to perform.

  • How should internal training be performed so the tasks can be performed with sufficient quality?

Aigine uses algorithms to automatically identify personal information and high lights these. We also provide a contextual knowledge database showing relevant information from the national DPA. Our algorithms also suggests legal ground for the processing, and when possible, the time it should be saved.

  • How should documentation be made to secure a common standard?

In Aigine, documentation is made in a smart digital form, ensuring a common way of documenting.

  • How should the documentation be made to handle personal information that is moved. File location will not be a strong enough identifier.

Aigine uses hash technology to identify documents and ensure that the documentation is always pointing at the relevant information source, no matter where it is located within your network.

  • How should the data sources be monitored to ensure that the records of process activities stays updated?

By using hash technology, Aigine automatically detects new and changed files, and delegate these within the work flow engine, to ensure that they are reviewed and documented.

Before all of the above happens, Aigine uses its algorithms to sort out documents that does not contain personal information, and therefore does not have to be reviewed and documented.

These algorithms are created, and continuously improved, through deep learning, using collaborative cognitive learning, where all users provide the neural network with high quality training data.

All these things together reduce the actual work needed to create the processing data inventory with more than 97%, a number that is increasing as the algorithms becomes more performant and language capable.

Our long game.

Aigine collects much more meta data than required by article 30 in GDPR. The reason for this is that we want to make GDPR governance more efficient over time. Performing processing data inventory with Aigine is an investment for the future, and we will continuously offer add-ons that reduces your work load.

By doing that, we use our continuously improved algorithms to perform monitoring, not only from a regulatory perspective, but also for policy enforcement.

Aigine also knows what personal identifiers exists in the data, and the exact location of each individual potential personal identifier.

Handling a data subject request with Aigine is therefore not performed by searching the data itself. Search is being performed in the metadata layer, where all relevant emails addresses, phone numbers, addresses, IP-numbers etc are directly found. Aigine then present the list of relevant data sources, documents and emails together with the stored information on legal grounds and the time it will be saved in an electronic format that can be sent to the requesting subject.

A task that potentially will take hundreds of hours to perform, and deliver questionable quality, is therefore reduced to a couple of seconds with flawless results.

Handing out the actual documents is as easy. Since GDPR prohibits leaving out any other personal data than the one belonging to the requesting subject, all files and emails must be masked. Since Aigine stores information on the location of potential personal information, the manual work of masking files can be performed automatically, providing PDF/A files to the requesting subject with all non-relevant personal identifiers masked.

By using this combination of technology, we can also offer automated masking, where files and emails automatically becomes masked when the time to save the personal information is due.

This makes it possible for Aigine customers to save more data, and be better prepared for a data driven future.

 

 The semi-automatic digital process in Aigine. Human resources are used when their unique competences are needed. However, no hand-over is ever made between two humans. Processmodel created with 2c8 Modeling Tool.