Building a Defensible Data Inventory

Related Articles

Debunking Legal Tech Myths

February 7, 2022

Seven Ways to Ease the Pain of Second Request Responses

July 1, 2021

Navigating Mental Health Challenges Through Law School

June 28, 2021

Analysis of Big Data shows that the size of the digital universe doubles every two years and that human- and machine-generated data experience a growth rate 10 times that of traditional business data. All of this growth has happened (and is continuing to happen) faster than many organizations can prepare for it.

And with every new piece of data that an enterprise or organization stores, how that data is handled—or mishandled—can create nightmares for both in-house legal teams and outside counsel working with clients.

Every new discovery request means there’s that much more material to find and review, and that’s before we get into the specter of privacy rule proliferation, which is set to pick up the pace in 2020. All of this makes the concept of data management—and maintaining a comprehensive and up-to-date data inventory—even more important. And recent research shows compelling ROI for companies that invest in data management and privacy software. Consider the following:

• According to Cisco’s Data Privacy Benchmark Study 2020, more than 40% of organizations are seeing benefits at least double what they spend on privacy software, with an average return of $2.70 for each $1 spent. In the UK, that figure is even greater at $3.50 in ROI for every $1 spent.
• According to Exterro’s 6th Annual FederalJudges Survey, 78% of federal judges think that the enactment of new data privacy laws will make production more costly, showcasing the need for smarter legal technology to help trim costs.
• According to Gartner’s Predicts 2020: Corporate Legal and Compliance Technology, by 2023 there will be a 150% increase in internal corporate legal expenditures on dedicated Data Subject Access Request (DSAR) solutions to handle consumer privacy requests.

Why is all of this important? Because, according to Cisco, a majority of companies (70%) say that investing in data privacy practices offer “significant business benefits” beyond privacy law compliance. In other words, having a strong handle on data can not only protect enterprises from increased risk due to privacy regulations but also create competitive advantages for companies that do it well.

Why a Data Inventory is Important

Before any of that ROI is obtainable, it is critical that the organization’s data inventory is up-to-date. While the EU’s General Data Protection Regulation (GDPR) does not, for example, legally require the creation of a data inventory, it does require internal processing activities to be logged and made available to regulators upon request. Likewise, the California Consumer Privacy Act (CCPA) doesn’t have a specific requirement for a data inventory, but code 1798.105 in the law states that a consumer has the right to request that a business delete any personal information that the business has collected.

The important question here is: How can the individual in charge of fulfilling these requests for deletion be certain that all of the subject’s information is in fact deleted without access to a full map of the organization’s data? Recently, pharmacy Doorstep Dispensaree in London became the first UK business to officially face a GDPR regulatory fine, with an ICO summary of rule breaches finding that a “lack of information provided to Data Subjects” was contextual to the fine. In this regard, a fully up-to-date data inventory is among the only ways to ensure total compliance with the GDPR, CCPA—or any number of other copycat laws sitting in state congressional houses at this very moment.

The foundation for compliance with any data privacy or cybersecurity regulation is an understanding of:

• What sensitive data you have
• How that data is collected
• Where the data resides
• Who has access to the data
• Which third parties have access to the data

Without a comprehensive data inventory, it’s practically impossible to answer those questions—which makes privacy compliance very difficult.

Elements of a Defensible Data Inventory

A legally-defensible data inventory incorporates answers to the critical questions above and provides the roadmap to meet compliance obligations, identify vulnerabilities, and demonstrate accountability across the enterprise. In order to build a comprehensive data inventory, it’s important to pull from all sources across the organization to ensure that all of the data is captured and accounted for. This means collecting data from each of the following sources:

• HR, Finance, IT, Legal/Compliance. It may seem obvious, but all internal data (including what’s not customer-related) must be accounted for—including current and former employees and candidates whose personal information is housed by an organization.
• Departmental Shared Drives, Emails, and File Cabinets. Applications like SAP, Office 365, and other CRM platforms that house customer data must be accounted for, and that includes old paper records in filing cabinets. Our earlier example of Doorstep Dispensaree illustrates the need to account for physical documents filed away—more than 500,000 documents containing personal data were stowed in unlocked containers and unaccounted for.
• All Third-Party Service Providers. Aside from knowing which of your vendors are subject to data privacy and cybersecurity regulations, third-party service providers that have access to your data but utilize lax security practices are at risk of a data breach—which means that your organization could face a data breach even without a direct cyberattack. According to the Ponemon Institute, 66% of businesses don’t keep an inventory of who their vendors are. That’s important to know and keep track of because 61% of respondents in the same survey experienced a data breach through a third party.

Technology Can Help with Your Data Inventory

As you may have imagined, all of this is difficult to do without technology to help find and identify the correct data in disparate locations across the enterprise. This is due partially to the fact that so much data within an organization is hidden or difficult to find—up to 80%, by some estimates. That’s a lot of data to miss, which means there’s a lot of risk in relying on excel sheets and manual documents. And with the continued proliferation of data, a tool with a central search function that connects to all the major data sources to find everything that lives in the shadows becomes that much more necessary.