When I started implementing the EU General Data Protection Regulation (GDPR) for my own business, I thought it would be a breeze: After all, as a lawyer, reading and implementing legislation is what I do. Also, my clients’ data is protected by the attorney-client privilege, so I’m already used to treating personal data very carefully.
It was a bit trickier than expected though. Yes, being a lawyer did help, but the GDPR is one big piece of work (pun intended). It is probably one of the most important legislations of the digital age, but it is not easy to work with. So where did I start? I made an inventory of all the personal data I’m processing. I have since tried and tested the GDPR Data Inventory Template I created for this with my own business and with my clients. I want to share the template with you, to hopefully make it easier to implement the GDPR in your business.
Use the Data Inventory Template to catalog and assess the personal data you process as required by the GDPR. Since I made the template specifically for Swiss businesses, I also added some considerations about Swiss data protection laws (transfers out of Switzerland).
Download the Template here (you don’t need to request access, just click “File>Make a copy”).
This document and the additional recources below are for general information purposes only and should not be considered legal advice. We do not warrant that the information is complete.
Additional Resources for Filling out the GDPR Data Inventory Template
These additional resources and examples will help you fill out the Data Inventory Template. The numbers below refer to the columns in the template.
- Data Controller: Fill in the name and contact details of your business. If you have a Data Protection Officer, fill in his or her details too.
You only need a Data Protection Officer if you process personal data on a large scale. See this guidance by the EU Commission for more information.
- EU representative: Fill in the name and contact details of your EU representative.
As a general rule, if the GDPR applies to your business even though your business is based outside the EU (i.e. in Switzerland), you need to appoint an EU representative. There is an exception to that rule for businesses with occasional and low-risk processing activities. Unfortunately, there isn’t a really any guidance yet as to what exactly that means. I will keep you posted about any future developments.
1) Personal data we process
This first column isn’t a mandatory part of the inventory. I added it for convenience. It allows you to organize the personal data you process into groupings that make sense for your business. In my experience, it’s usually helpful to group the data either by data subject and source (e.g. user data from sign-up form, automatically collected user data, etc.), or by data subject and storage location (e.g. hard copy customer files, electronically stored customer information, etc.).
Here are some pointers by the EU Commission to help you find out what data and what activities are covered by the GDPR:
2) Where does the data come from?
List how you collected the data (where you have it from).
Examples: directly from the data subject (sign-up form, user activity/posts, through email, etc.), from a third party, through an analytics tool
3) Whose data is it?
Write down the category of data subjects whose data you are processing.
Examples: customers, users, business partners, prospects, website visitors, employees
4)What kind of data is it?
Describe what kind of personal data you are processing.
Examples: contact information, medical records, employee files, financial information
5) Is it sensitive data?
Make a note of any sensitive data you process. This is important because the data protection rules for processing sensitive data are stricter than the general rules.
6) Why do we process this data (purpose)?
Describe the reasons why you process the data.
Examples: providing customers with the goods or services they bought, marketing, legal requirements (e.g. employer obligations), analytics
7) What is our lawful ground for processing?
This is one of the most crucial parts. Under the GDPR, processing personal data is only legal if one of its “lawful grounds for processing” applies. That means you need a lawful ground for processing for every one of your processing activities.
The most important lawful grounds for processing are:
- Legitimate interest
- Legal obligations
8) Where do we process/store this data?
Indicate where you process and store the data. This can be an electronic system or a hard copy filing system.
Examples: your own server, cloud storage, hard copy filing cabinet, a third-party service provider’s server
9) How long do we keep this data (retention period)?
If you set a retention period for the data, write it down here.
10) What are the security measures we put in place to protect this data?
List the organizational and technical data security measures you put in place.
Examples: pseudonymization, encryption, access restrictions
11) Does processing this data involve a transfer to a third party? If yes, who is it and where are they?
Write down who you share the data with.
Examples: subcontractors, freelancers, cloud services, hosting providers, email marketing services, IT support services
12) If we transfer to a processor, is a data processor agreement in place?
If a third party processes personal data on your behalf, you need to put a processor agreement in place. Ask your processor if they have one – if their core business is processing other people’s data and they take the GDPR seriously, they usually do.
13) Is this transfer an international transfer out of Switzerland? If yes, is it compliant with Swiss data protection laws?
A transfer out of Switzerland is compliant with Swiss law if:
- the country you transfer to has data protection legislation equivalent to Switzerland
- you transfer to a U.S. company with CH-US Privacy shield certification
- you put in place appropriate contractual clauses
- one of the other conditions outlined in art. 6 of the Federal Data Protection Act applies
14) Is this transfer an international transfer out of the EEA? If yes, is it compliant with the GDPR?
A transfer to a country outside the European Economic Area (EEA) is compliant with the GDPR if:
- the country you transfer to has data protection legislation equivalent to the EU (adequacy decision)
- you transfer to a U.S. company with EU-US Privacy shield certification
- you put in place an “appropriate safeguard” (contractual clauses)
- a derogation according to art. 49 GDPR applies (e.g. the data subject explicitly consents to the transfer)
15) Measures to be taken
List any measures you need to take to become compliant.