DAT-006 Data Inventory and Records of Processing
Description
A current inventory of personal and sensitive data assets is maintained, documenting data categories, processing purposes, data flows, retention periods, legal basis for processing, and the systems and third parties involved. This record is reviewed and updated at least annually.
Rationale
A data inventory is the foundational accountability artefact for privacy compliance. It enables proportionate protection, supports DPIA scoping, facilitates data subject rights fulfilment, and is required by GDPR Art.30.
Framework Mappings (7)
| DSP-03 | Data Inventory | full |
| DSP-05 | Data Flow Documentation | partial |
| DSP-06 | Data Ownership and Stewardship | partial |
| GDPR-Art.30.1 | Controller Records of Processing Activities (RoPA) | full |
| GDPR-Art.30.2 | Processor Records of Processing Activities | partial |
| GDPR-Art.5.2 | Accountability Principle | partial |
| PM-18 | Privacy Program Plan | partial |
Evidence (2)
Records of Processing Activities (RoPA) or data inventory documenting all personal data processing activities with required GDPR Art.30 fields.
Example: RoPA register (OneTrust / Confluence / spreadsheet), listing each processing activity with: controller identity, processing purpose, data categories, data subject categories, recipients, third countries, retention periods, legal basis, and technical/organisational measures — reviewed within 12 months
Test: Request the current RoPA or data inventory. Verify: (1) all active processing activities are represented, (2) each entry includes: purpose, data categories, legal basis, retention period, and any third-party recipients, (3) cross-border transfers are identified and transfer mechanisms documented, (4) register has been reviewed and updated within the last 12 months, (5) DPO or data owner approval is recorded.
Data flow diagram or automated data mapping output showing how personal data moves between systems and to third parties.
Example: Automated data flow map export from OneTrust Data Mapping, Securiti.ai, or equivalent — showing data flows from collection points to processing systems to third-party processors, with data categories annotated
Test: Request the data flow diagram or mapping tool export. Verify: (1) all major data collection touchpoints are shown (web app, mobile, API, support systems), (2) flows to all identified third-party processors are represented, (3) any cross-border flows are marked, (4) diagram is dated within 12 months.
Questions (2)
Does your organisation maintain a current Records of Processing Activities (RoPA) or equivalent data inventory documenting all personal data processing with the fields required by GDPR Article 30?
The RoPA must include: processing purposes, data categories, data subject categories, legal basis, retention periods, third-party recipients, cross-border transfers, and applicable safeguards. It should be reviewed and updated at least annually.
How is the data inventory or RoPA maintained?
A dedicated privacy management platform provides the most reliable inventory with automated data flow discovery. Spreadsheet-based inventories are acceptable for smaller organisations but must be kept rigorously up to date.