When I started implementing the EU General Data Protection Regulation (GDPR) for my own business, I thought it would be a breeze: After all, as a lawyer, reading and implementing legislation is what I do. Also, my clients’ data is protected by the attorney-client privilege, so I’m already used to treating personal data very carefully.

It was a bit trickier than expected though. Yes, being a lawyer did help, but the GDPR is one big piece of work (pun intended). It is probably one of the most important legislations of the digital age, but it is not easy to work with. So where did I start? I made an inventory of all the personal data I’m processing. I have since tried and tested the GDPR Data Inventory Template I created for this with my own business and with my clients. I want to share the template with you, to hopefully make it easier to implement the GDPR in your business.

Use the Data Inventory Template to catalog and assess the personal data you process as required by the GDPR. Since I made the template specifically for Swiss businesses, I also added some considerations about Swiss data protection laws (transfers out of Switzerland).

Download the Template here (you don’t need to request access, just click “File>Make a copy”).

This document and the additional recources below are for general information purposes only and should not be considered legal advice. We do not warrant that the information is complete.

Additional Resources for Filling out the GDPR Data Inventory Template

These additional resources and examples will help you fill out the Data Inventory Template. The numbers below refer to the columns in the template.

0) Header

  • Data Controller: Fill in the name and contact details of your business. If you have a Data Protection Officer, fill in his or her details too.
    You only need a Data Protection Officer if you process personal data on a large scale. See this guidance by the EU Commission for more information.
  • EU representative: Fill in the name and contact details of your EU representative.
    As a general rule, if the GDPR applies to your business even though your business is based outside the EU (i.e. in Switzerland), you need to appoint an EU representative. There is an exception to that rule for businesses with occasional and low-risk processing activities. Unfortunately, there isn’t a really any guidance yet as to what exactly that means. I will keep you posted about any future developments.

1) Personal data we process

This first column isn’t a mandatory part of the inventory. I added it for convenience. It allows you to organize the personal data you process into groupings that make sense for your business. In my experience, it’s usually helpful to group the data either by data subject and source (e.g. user data from sign-up form, automatically collected user data, etc.), or by data subject and storage location (e.g. hard copy customer files, electronically stored customer information, etc.).

Here are some pointers by the EU Commission to help you find out what data and what activities are covered by the GDPR:

2) Where does the data come from?

List how you collected the data (where you have it from).

Examples: directly from the data subject (sign-up form, user activity/posts, through email, etc.), from a third party, through an analytics tool

3) Whose data is it?

Write down the category of data subjects whose data you are processing.

Examples: customers, users, business partners, prospects, website visitors, employees

4)What kind of data is it?

Describe what kind of personal data you are processing.

Examples: contact information, medical records, employee files, financial information

5) Is it sensitive data?

Make a note of any sensitive data you process. This is important because the data protection rules for processing sensitive data are stricter than the general rules.

Guidance by the EU Commission (more info and examples)

6) Why do we process this data (purpose)?

Describe the reasons why you process the data.

Examples: providing customers with the goods or services they bought, marketing, legal requirements (e.g. employer obligations), analytics

7) What is our lawful ground for processing?

This is one of the most crucial parts. Under the GDPR, processing personal data is only legal if one of its “lawful grounds for processing” applies. That means you need a lawful ground for processing for every one of your processing activities.

The most important lawful grounds for processing are:

  • Contract
  • Consent
  • Legitimate interest
  • Legal obligations

Guidance by the EU Commission (more info and examples)

8) Where do we process/store this data?

Indicate where you process and store the data. This can be an electronic system or a hard copy filing system.

Examples: your own server, cloud storage, hard copy filing cabinet, a third-party service provider’s server

9) How long do we keep this data (retention period)?

If you set a retention period for the data, write it down here.

Guidance by the EU Commission (more info)

10) What are the security measures we put in place to protect this data?

List the organizational and technical data security measures you put in place.

Guidance by the EU Commission (more info)

Examples: pseudonymization, encryption, access restrictions

11) Does processing this data involve a transfer to a third party? If yes, who is it and where are they?

Write down who you share the data with.

Examples: subcontractors, freelancers, cloud services, hosting providers, email marketing services, IT support services

12) If we transfer to a processor, is a data processor agreement in place?

If a third party processes personal data on your behalf, you need to put a processor agreement in place. Ask your processor if they have one – if their core business is processing other people’s data and they take the GDPR seriously, they usually do.

Guidance by the EU Commission (more info)
Guidance by the EU Commission on the difference between controllers and processors

13) Is this transfer an international transfer out of Switzerland? If yes, is it compliant with Swiss data protection laws?

A transfer out of Switzerland is compliant with Swiss law if:

14) Is this transfer an international transfer out of the EEA? If yes, is it compliant with the GDPR?

A transfer to a country outside the European Economic Area (EEA) is compliant with the GDPR if:

Guidance by the EU Commission (more info)

15) Measures to be taken

List any measures you need to take to become compliant.