Knowing the type of data that you collect, where it is held, with whom it is shared, and how it is transferred is a central component of most data privacy and data security programs. The process of answering these questions is often referred to as a “data map” or a “data inventory.” Outside of the United States some attorneys may be more familiar with the term “data register.”

Although the questions that a data map tries to solve are relatively straightforward, the process of conducting a data map can be daunting for many organizations. In addition, it is important to remember that data constantly changes. As a result, organizations must consider how often to invest the time to conduct a data map and, once invested, how long the information will be useful.


The percentage of privacy officers ranking data inventory and mapping as their highest priority for risk mitigation.1


The percentage of companies that already engage in routine data inventory and mapping.2


What you should think about when deciding whether to conduct a data map or a data inventory:

  1. Which departments within your organization are most likely to have data?
  2. Who within each department would you need to speak with to find out what data exists?
  3. Is it more efficient to send the relevant people a questionnaire or to speak with them directly? What is the best way to receive information from each person in the organization that collects data so that the information provided can be organized and sorted with information received from others?
  4. What information should you collect about the personal data within your organization? For example, is it enough to know where the data is, and who is responsible for it, or should you collect the reason why your organization has the data, how long it is kept, where it is systematically transferred to, and the type of security applied to the data?
  5. Is your data map intended to be an inventory (i.e., a description of data at rest), or is it intended to provide dynamic information (i.e., a description of how data moves within and outside of your organization)?
  6. Which stakeholders in your organization may have an interest in the outcome of your data map? For example, are there uses that a privacy officer, an information security officer, or a chief information officer, may have in the outcome of the project?
  7. Do you have sufficient internal resources to conduct the data map? If not, do you have access to external resources with experience in conducting such exercises?
  8. Is your data map going to inventory data that crosses national boundaries? If so, do you want your map to also account for what (if any) legal compliance strategies are being used to facilitate such transfers?
  9. If your data inventory is going to examine the retention schedule (if any) applied to the data, are you going to rely on self-reported retention periods or are you going to verify actual retention periods?
  10. Do you intend to use the outcome of your data inventory to demonstrate compliance with any specific legal requirements? For example, if your organization is subject to the European Union General Data Protection Regulation do you intend for your data map to satisfy your obligations to demonstrate that your organization applies data minimization and has a permissible purpose for its data processing?

1. Int’l Ass’n of Privacy Prof’ls & TRUSTe, Inc., How IT and Infosec Value Privacy, 2 (2016),

2. Int’l Ass’n of Privacy Prof’ls & TRUSTe, Inc., Preparing for the GDPR: DPOs, PIAs, and Data Mapping, 16 (2016),