DRPV-05

Do you have a documented list of personal data your service maintains?

Explanation

This question is asking whether your organization maintains a documented inventory of all personal data that your service collects, processes, or stores. Personal data (also called personally identifiable information or PII) includes any information that can identify an individual, such as names, email addresses, phone numbers, IP addresses, location data, financial information, health information, etc. Why this is important in a security assessment: 1. Regulatory compliance: Many data protection regulations like GDPR, CCPA, HIPAA require organizations to know what personal data they collect and process. 2. Risk management: You can't protect what you don't know you have. A data inventory helps identify security risks. 3. Data minimization: Having a documented list helps ensure you're only collecting necessary data. 4. Breach response: If a security incident occurs, knowing what personal data might be affected is crucial for notification requirements. 5. Data subject rights: To fulfill requests like data access or deletion, you need to know where all personal data resides. A good answer should include: - Confirmation that you maintain such a list - How the list is documented and maintained (e.g., data inventory tool, spreadsheet) - What types of information are tracked in this list (data types, sources, purposes, etc.) - How often the list is reviewed and updated - Who is responsible for maintaining this documentation

Example Responses

Example Response 1

Yes, our organization maintains a comprehensive data inventory that documents all personal data processed by our service This inventory is maintained in our Data Governance platform and includes detailed information about each data element including: data type, classification level, purpose of collection, retention period, access controls, and data flow mapping The inventory is reviewed quarterly by our Data Privacy team and updated whenever new data elements are added to our systems or when existing processing activities change Our Chief Privacy Officer has ultimate responsibility for ensuring this inventory remains accurate and complete.

Example Response 2

Yes, we maintain a documented list of all personal data in our service Our inventory is managed through a combination of automated discovery tools and manual documentation in a centralized spreadsheet The inventory captures data categories (e.g., contact information, financial data, usage data), legal basis for processing, storage location, retention periods, and third parties with whom data is shared Our privacy steering committee conducts bi-annual reviews of this inventory, and department heads are required to report any new data collection activities as part of our change management process This documentation is a key component of our privacy impact assessment framework.

Example Response 3

No, we currently do not maintain a comprehensive documented list of all personal data our service processes While we have general knowledge of major data categories we collect (such as user account information and usage logs), we have not formally documented this in a centralized inventory We recognize this is a gap in our privacy program and have initiated a project to implement a data mapping exercise in the next quarter We've allocated resources to conduct a thorough audit of our systems and create a formal data inventory that will include data types, processing purposes, retention periods, and access controls Until this project is complete, we acknowledge we cannot fully demonstrate compliance with this requirement.

Context

Tab: Privacy
Category: Data Privacy