Question: Has a personal-data inventory or processing register been established and maintained?
Why This Matters
Organizations cannot protect what they don’t know they hold. A processing register clarifies data flows, legal bases, and risk exposures.
Maturity
0 — Unaware
No inventory of personal data assets.
No inventory of personal data assets.
1 — Ad Hoc
Partial lists maintained by IT or HR.
Partial lists maintained by IT or HR.
2 — Defined
Central register documented with owners and purposes.
Central register documented with owners and purposes.
3 — Managed
Data flows mapped; legal bases and retention defined.
Data flows mapped; legal bases and retention defined.
4 — Integrated
Inventory linked to risk and security controls.
Inventory linked to risk and security controls.
5 — Optimized
Dynamic discovery and automated updates via scans.
Dynamic discovery and automated updates via scans.
How to Level Up
| From → To | Actions |
|---|---|
| 0 → 1 | List systems storing personal data (Excel OK initially). |
| 1 → 2 | Create central register with owner and purpose. |
| 2 → 3 | Add lawful basis, retention, and sharing partners. |
| 3 → 4 | Link records to risk register and control matrix. |
| 4 → 5 | Automate discovery using DLP or data-classification tools. |
Enablers
- People: DPO, System Owners, IT Security Lead
- Process: Data-mapping → register review → annual attestation
- Technology: Spreadsheets, GRC tool, data-scan utilities
Evidence
- Latest register version
- Review approval logs
- System owner sign-offs
KPIs
- Percentage of systems mapped
- Number of updates since last review
- Time to add new system to register
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| Register | Airtable / Google Sheets | Central inventory |
| Mapping | draw.io / Gliffy | Visual data flows |
| Discovery | OpenDLP / DataCurator | Scan structured sources |
Common Pitfalls
- Inventory never reviewed or approved
- No linkage to risk or security controls
- Updates only after audit
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO/IEC 27701 | 7.2.1 (Records of processing) |
| DPDP Act 2023 | Sec 7 (Processing register and consent record) |
| GDPR | Art. 30 |
| NIST CSF 2.0 | ID.DP-01 / GV.OC-01 |
| NIRMATA Mapping | PD-Q02 anchors data-inventory discipline. |