Do you have a documented list of personal data your service maintains?
Explanation
A personal data inventory is what's sought here: whether you maintain a documented list of the personal data your service holds. Personal data (also called personally identifiable information or PII) includes any information that can identify an individual, such as names, email addresses, phone numbers, IP addresses, location data, financial information, health information, etc.
Why this is important in a security assessment:
- Regulatory compliance: Many data protection regulations like GDPR, CCPA, HIPAA require organizations to know what personal data they collect and process.
- Risk management: You can't protect what you don't know you have. A data inventory helps identify security risks.
- Data minimization: Having a documented list helps ensure you're only collecting necessary data.
- Breach response: If a security incident occurs, knowing what personal data might be affected is crucial for notification requirements.
- Data subject rights: To fulfill requests like data access or deletion, you need to know where all personal data resides.
A good answer should include:
- Confirmation that you maintain such a list
- How the list is documented and maintained (e.g., data inventory tool, spreadsheet)
- What types of information are tracked in this list (data types, sources, purposes, etc.)
- How often the list is reviewed and updated
- Who is responsible for maintaining this documentation
Example Responses
Example Response 1
Yes, our organization maintains a comprehensive data inventory that documents all personal data processed by our service This inventory is maintained in our Data Governance platform and includes detailed information about each data element including: data type, classification level, purpose of collection, retention period, access controls, and data flow mapping The inventory is reviewed quarterly by our Data Privacy team and updated whenever new data elements are added to our systems or when existing processing activities change Our Chief Privacy Officer has ultimate responsibility for ensuring this inventory remains accurate and complete.
Example Response 2
Yes, we maintain a documented list of all personal data in our service Our inventory is managed through a combination of automated discovery tools and manual documentation in a centralized spreadsheet The inventory captures data categories (e.g., contact information, financial data, usage data), legal basis for processing, storage location, retention periods, and third parties with whom data is shared Our privacy steering committee conducts bi-annual reviews of this inventory, and department heads are required to report any new data collection activities as part of our change management process This documentation is a key component of our privacy impact assessment framework.
Example Response 3
No, we currently do not maintain a comprehensive documented list of all personal data our service processes While we have general knowledge of major data categories we collect (such as user account information and usage logs), we have not formally documented this in a centralized inventory We recognize this is a gap in our privacy program and have initiated a project to implement a data mapping exercise in the next quarter We've allocated resources to conduct a thorough audit of our systems and create a formal data inventory that will include data types, processing purposes, retention periods, and access controls Until this project is complete, we acknowledge we cannot fully demonstrate compliance with this requirement.
Context
- Tab
- Privacy
- Category
- Data Privacy
Related questions
- Have you performed a Data Privacy Impact Assesssment for the solution/project?
- Do you provide an end-user privacy notice about privacy policies and procedures that identify the purpose(s) for which personal information is collected, used, retained, and disclosed?
- Do you describe the choices available to the individual and obtain implicit or explicit consent with respect to the collection, use, and disclosure of personal information?
- Do you collect personal information only for the purpose(s) identified in the agreement with an institution or, if there is none, the purpose(s) identified in the privacy notice?
- Do you retain personal information for only as long as necessary to fulfill the stated purpose(s) or as required by law or regulation and thereafter appropriately dispose of such information?
- Do you provide individuals with access to their personal information for review and update (i.e., data subject rights)?

