For the record: the importance of data inventory

May 2022  |  COVER STORY | BOARDROOM INTELLIGENCE

Financier Worldwide Magazine

May 2022 Issue

For companies, knowing the data they hold is fundamental to being able to use and protect it. But companies increasingly store vast quantities of data. They access enormous, separate data sources virtually every day, which makes it harder to remember the origins of each data point.

A data inventory provides a complete record of the information resources maintained by an organisation. It allows companies to track essential data sources and streamline data collection and analyses. In its simplest form, a data inventory documents what data is being collected by the organisation, how the organisation utilises it in their environment, how the organisation protects it, and to where, whom and for what purpose it is transferred.

While data can be a huge asset, it can also be a major liability if not properly managed. Inaccurate, incomplete or inadequate data increases risk for organisations. It can make it difficult for companies to maintain regulatory compliance and may cause reputational damage in certain scenarios.

Without a robust data inventory, companies have a limited chance of achieving governance, risk and compliance (GRC) objectives. Managing data efficiently requires centralised control mechanisms. “A data inventory forms the core foundation of any strong data governance or privacy programme,” says Nina Bryant, senior managing director at FTI Technology. “How can any organisation manage, protect, secure or dispose of data if it does not understand what data it has or where it is stored?

“More importantly, a clear view of the entire data footprint is essential to an organisation’s ability to identify where high value or high-risk data sits and to develop effective strategies to govern this data through its lifecycle,” she continues. “In an age where data breaches are a daily occurrence, a data inventory enables the chief information security officer’s team to target limited resources to the data or systems with the highest value or risk.”

By establishing a centralised database for quick reference, companies can also increase operational efficiency, productivity and decision making, and ensure that employees stay on task. A data inventory can help companies transform data from a potential liability into an asset, easing compliance and risk burdens and facilitating digital transformation. Understanding what information a company gathers contributes to enhanced productivity and greater transparency for everyone in the organisation. It can improve reporting and decision making, and optimise operational efficiency.

Dark data

A complete data inventory also provides an opportunity to remediate historic data, manage risk and reduce costs. “A number of surveys have identified that approximately 30 percent of an organisation’s unstructured data is redundant, obsolete or trivial (ROT),” says Ms Bryant. “In addition, a recent IBM study identified that up to 80 percent of data is dark or unknown and unexploited data within an organisation, generated by applications, devices or interactions.

“Completing a data inventory is the minimum requirement to begin understanding the known data landscape, and will also help identify data that no longer holds value and may be disposed of. It also uncovers critical gaps, such as data that exists in unknown, unowned or underutilised systems or file shares,” she adds.

Addressing this issue may involve, for example, decommissioning legacy applications or data centres, using tools to analyse unstructured data, disposing of ROT, classifying business records, or migrating low value historic data to an archive. Such efforts should reduce the cost associated with ever-growing IT infrastructure, and focus investment on strategic solutions which instead unlock value from data.

Reducing the volume of data, including personal data, is also in line with data minimisation principles under privacy regulations, and further reduces the risk of exposing sensitive information in the event of a cyber incident or data breach. Once data has been structured and low value data discarded, the costs and timescale for cloud migration are reduced, and teams can focus on ensuring strong data governance for the future.

Through the data inventory process, companies gain an understanding of the data they store and an ability to identify gaps or risks, to then mitigate them.

According to Ms Bryant, a data inventory allows companies to identify key attributes related to its data. This may include personal or special categories of data, business records that must be retained for legal reasons, data under legal hold, golden sources of data, as well as crown jewels, which are high value intellectual property or other business data.

“This is critical to drive the data strategy, information security efforts and mitigate risk effectively,” says Ms Bryant. “It will also allow an organisation to respond quickly and effectively to data subject rights and access requests, ensuring the organisation has visibility into key applications and systems that contain personal data,” she adds.

Regulatory imperatives

Through the data inventory process, companies gain an understanding of the data they store and an ability to identify gaps or risks, to then mitigate them. This may be necessary to comply with regulatory measures, such as the European Union’s (EU’s) General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA), among measures being implemented in other jurisdictions.

It is critical to take a holistic approach to the data inventory process, and to consider regulatory requirements that cut across records retention, litigation and legal holds, data privacy, data governance and information security,” notes Ms Bryant. “Privacy protection regulations such as the GDPR and the CCPA enforce strict guidelines regarding data, and they are likely to be the vanguard for additional, similar legislation in other jurisdictions. Collecting and processing data without proper consent from users or legitimate business needs may cause significant issues for organisations. As such, businesses must be careful about the data they are collecting and storing,” she adds.

In the case of the GDPR specifically, having a proper data inventory may be fundamental to achieving compliance. In this way, companies can effectively manage data sharing and permissions, address individual data subject access requests, carry out risk assessments to determine necessary controls, manage data protection practices and programmes, develop effective breach notifications, and help data protection officers (DPO) execute their duties and responsibilities effectively.

Building a data inventory

Building a data inventory is not a simple, one-off process. Companies will need to answer some key questions about the data they store. Do we know what data we have? How long are we keeping it? Where are we keeping it? Why are we keeping it? Who has access to it? Has the data been classified? Who is responsible for the data?

Challenges often arise when creating a data inventory, particularly since companies store so many different data types across a multitude of data sources. It can be difficult to gain complete visibility of the entire data landscape. This may lead to incomplete or inaccurate information being stored, as well as duplicate or ungoverned data. To address this problem, companies need to quality check the data they hold, then eliminate duplicate, incomplete or inconsistent information to increase the reliability of datasets.

A data inventory should also be factored into the broader data privacy programme. Common privacy and security frameworks, such as the National Institute of Standards and Technology (NIST) Privacy Framework, may be considered. These detail how organisations should identify and document assets and processes which collect, store or use critical information.

For a large organisation, creating a data inventory can be a significant undertaking. There are, however, many tools available that aim to streamline the process. “These tools range from glorified spreadsheets, to tools which issue questionnaires to stakeholders for completion to create a database of systems, data and risk mapping, to tools that automatically map data within systems,” explains Ms Bryant. “All these have pros and cons, but in our experience, a semi-automated approach works best initially and is quicker to implement. This involves using a tool that makes capture and maintenance of the inventory easier, ensures everything is stored in one place, and has a strong user access model that allows for effective metrics and reporting to key managers in IT, risk, compliance or privacy.

“This is generally significantly more efficient than following a spreadsheet-based approach, but avoids the high investment and time frame to implement fully-automated tooling,” she continues. “In addition, most of these tools also have functionality to automatically generate data maps, cross-border transfer maps and data lineage charts once the inventory has been completed, fast-tracking development of key outputs,” she adds.

When building a data inventory, companies must first establish an oversight authority, including a project manager, with responsibility for gathering data from across various departments. A specialist may be engaged to outline data policies and manage big data. The data inventory team must also establish the scope, deadlines, resources and other guidelines necessary to complete the process.

There are, of course, limitations on the capacity of individuals to retain knowledge, which should to be addressed as part of the process. “A single contact point will likely not know all information across all these areas and should accept that they may need to involve multiple people to get the full picture or may find gaps in the information that are difficult or impossible to fill,” says Ms Bryant. “Spending ample time and effort at this stage will pay dividends in the longer term, though, and will help direct the thinking for future phases of work and identify where further initiatives may be required.”

Ultimately, data inventory and data management rely on three tightly linked elements: people, process and technology. “To ensure effective data governance, the GRC team will need to collaborate to develop the critical policies, roles, governance structures and data inventory needed to make decisions on data and ensure management throughout its lifecycle,” says Ms Bryant. “However, technology will increasingly be a key enabler to success, supporting automated analysis, mapping, classification and disposal of data, exposing and exploiting dark data and ultimately driving business value from data. In turn, this will ensure the significant risks data can pose to an organisation are reduced, while the cost of data infrastructure is minimised.”

Though technology plays a key role, there will always be a human element to data inventory. It is a critical part of the process to capture the accumulated corporate knowledge on data and systems across the organisation. “Automated tooling has evolved significantly, especially over the last 10 years, which is enabling improvements in effective data analysis and mapping across both structured and unstructured data, detecting personal, financial and high value data, identifying ROT, automated classification and mapping data lineage,” says Ms Bryant. “To make the best use of these tools, some level of understanding of where to target efforts and how to prioritise based on risk is required, which inevitably requires human input. Ultimately, any GRC programme will require a combination of human expertise, while leveraging the power and speed of automated analytics,” she adds.

Plan for the future

To be ready for the next phase of data-privacy regulations, companies should seek to future proof their GRC efforts. A principles-based approach, agnostic to specific regional or departmental issues, is key. “Develop a framework that can be easily adapted as the organisation grows into different markets or new products and services through M&A, for example,” suggests Ms Bryant. “This will mean that all the effort put into developing policies, procedures and inventories can be quickly and easily leveraged and expanded as the organisation changes. A strong target operating model (TOM) for key functions will also support this. Ensure that clear governance, accountability and responsibilities are defined to align with team activities and objectives.

“As the organisation grows, or new legislation comes to pass, relevant roles and activities can then be allocated clearly within future iterations of the TOM, avoiding grey areas or gaps in operational responsibilities,” she continues. “Finally, a strong control framework is a must. Any GRC initiative is only as strong as the controls which monitor or detect issues, non-compliance or emerging threats or risks. Ensuring controls are proactively reviewed and an ongoing programme of risk mitigation and process improvement is in place will future proof against the unknown challenges ahead.”

The importance of company data cannot be overstated. With an increasing regulatory focus on data collection and storage, organisations cannot afford to overlook the benefits of a data inventory. Compliance with the GDPR, CCPA or similar laws is much harder if businesses fail to understand the types of data they collect and how it is used and stored. A data inventory optimises data management processes to help meet obligations as new laws and regulations are introduced. It is a best practice response to a world increasingly focused on data quality and protection.

© Financier Worldwide

BY

Richard Summerfield

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.