Dear CISO: Partial Inventory is No Inventory at All

GDPR started it and others followed. Unlike with other sensitive data assets that we as CISOs need to manage, it’s now quite clear what is expected of us regarding personal data. After analyzing all these expectations (more like requirements) and merging them into practical actions, the only practical solution is to create a central and up-to-date inventory of personal data and manage it effectively. All activities, including privacy and security policy implementation, and legal data subject rights, must be part of that inventory.

So what did we do in 2016 once GDPR was dropped on us? We consulted externally on how to manually create an inventory, used whatever tools we had previously developed to automate part of the data discovery process, and started searching for vital tools to equip us to maintain this process as a long-term solution.

Solutions started to arrive on the market. Some of them are DLP-like, configured for personal data, while others were built to ease management tasks. The problem with these partial solutions is that all of them were assembled from existing technologies and limitations that don’t necessarily answer our needs as CISOs. To identify our needs and choose the appropriate solution we need to ask ourselves a few basic questions:

What is a Personal Data Inventory?

A central place that manages “information relating to an identified or identifiable natural person” that your organization “stores, processes or shares”. If your inventory is missing even one part (for example: it is unable to automatically identify new network elements that process personal data) it is unreliable, preventing you from honestly reporting to your boss that your task has been fully completed.

Where should I look for this information in my organization?

You should search structured and unstructured, data in motion and at rest, and known and unknown data. It can be an application transaction, file, table in a database, SaaS service, image … (see “Where Personal Data Can Potentially Be Found in the Digital Arena” for more information)

There are many “privacy solutions” out there. How do I choose the right one for me?

When choosing a long-term solution, I always ask myself the question “Where am I going to be in a year from now using this technology?” Some have shiny GUI, others focus on a specific part of the challenge, but all try to divert the conversation to where they have the advantage over others. It’s all acceptable, but when choosing, I always make myself a list of priorities. In this case:

1. A complete, automatically-updated inventory that is accessible via API and GUI (in that order).
2. The rest…

The main reason for this very short list is because two things are very clear:

1. If you have a full inventory, everything else is data manipulations.
2. If you have only partial inventory and the rest rely upon user input, a year from now you will still be chasing complimentary solutions for the missing parts of your inventory. Furthermore, you will continue wasting your business’s and IT’s time by filling out forms and surveys that everyone knows are not accurate and irrelevant a second after filling them out.

Choosing the correct solution now will guarantee that in a year you’ll be able to scale to any task as part of your data lifecycle management challenges.