Most Accurate Solutions and ApproachesFor Your Data Inventory
What are the types of your data? Where are they stored? Who has access? Have you specified the retention periods?
Not being aware of in which environments the collected data are stored and how they are shared with other parties, is like travelling offshore.
The most important need of an organization for data management; moreover, the starting point of the data management, is to have knowledge about the scale, location, sharing and lifecycle of the data.
The private sector and public institutions obtain, process and store various personal data in order to carry out their core activities. Organizations that wish to expand their economic activities naturally access more personal data and be in the position of sharing them with third parties. If the management model of the data is not adequately constructed, as the scale of data gets larger, the risks to keep it secure and the measures to be taken increase accordingly.
The expert teams of VeriSistem® complete the data inventory studies quickly thanks to their superior knowledge in this field, which can be quite detailed according to the scale of data processed and the parties you share data with. In addition, data inventory service is included in the scope, if all end-to-end personal data protection law compliance studies are in progress.
Various Definitions Related to the Inventory Study
Inventory study on personal data is not an easy process. However, it cannot be argued that the results of this study spread over time, will become a unique asset in terms of the operation of the organization.
The inventory study on the protection of personal data is described in Article 4, paragraph 1 (h) of the By-law on the Data Controllers’ Registry published in the Official Gazette dated 30.12.2017. Later, the scope was changed with various regulations.
In these regulations, Inventory is described as "the inventory in which the measures taken regarding data security are explained and elaborated as data controllers perform personal data processing activities depending on business processes; their purposes of processing personal data and its legal ground, data category they create by associating with the recipient group of transfer and group of data subject persons and the maximum retention period required for the purposes which personal data processed for and personal data intended to be transferred to foreign countries."
Why Should You Prepare a Data Inventory?
The obligation to prepare a data inventory is the preparation of infrastructure for compliance with the Law in the business processes related to the activities of the data controllers. In other words, it is to serve easily to determine whether there is a personal data processing that is incompliant with the Law. Thanks to this inventory, the data controller has also the opportunity to self-audit regarding the legal compliance of personal data processing activities.
The aim is to convert the data into information and to transform it into understanding.
Is it a Legal Obligation to Prepare Data Inventory?
For the reasons mentioned above, it is important to take technical and administrative measures properly in terms securing personal data. Therefore, it will be easier for organizations to classify their data assets in the first place. However, the law also imposed following obligations in this field;
According to Article 5, paragraph 1 (d) of the By-law on the Data Controllers' Registry, the provision "Data controllers (*) who are obliged to register with the Registry, are obliged to prepare Personal Data Processing Inventory. Data to be disclosed to the Registry during the registration applications, are prepared based on the Personal Data Processing Inventory", in paragraph (d) the provision "In the disclosure obligation stipulated in Article 10 of the Law for data controllers, in responding to the applications of the data subject in Article 13 of the Law and determining the scope of the explicit consent to be announced by the data subjects, the data submitted to the Registry and published in the Registry shall be taken as basis based on the personal data processing inventory." takes place.
(*) Amendment has been made in paragraph (ç) with the Article 2 of the Regulation on the Amendment of the By-law on the Data Controllers’ Registry published in the Official Gazette dated 28.04.2019.
Is it compulsory to prepare data inventory according to GDPR?
According to GDPR, there is no obligation to prepare data inventory, but due to the nature of the process, data inventory is "required". Because GDPR examines which data are managed, recorded, shared. In addition to this, organizations with more than 250 employees have to keep the record of data processing activities and show them during the audits (The Register of Record of Processing Activities).
The requirements for data processing activities are listed in Article 30, paragraphs 1 and 2 of the GDPR. According to this;
Name and surname of the data controller, DPO and representatives
Purpose of data processing
Categories of data subject's processed data
Parties where data transfer takes place
Technical and administrative measures
The differences between the conventional Data Retention and the "Transaction Records" mentioned in the GDPR are, for example, as follows;
Data Retention (Saving, storing)
It is important which records we keep in which systems. For example, customer contracts are located on the cloud server named "ABC" in Istanbul.
Who has access to data? For example, who can access supplier data stored in our servers in Ankara? With what types of authorization levels can they access to data?
Transaction Records (Data processing records)
GDPR looks for answers to “how” and “why” questions. Why are these records kept, what is the purpose and how are they kept?
Which departments have access to data and why is this needed?