GDPR data inventory is not a legal task

Less than three months remain before GDPR comes into force. Most companies that work with European customers or have employees in the EU already know they need to do something. But I notice that the work is mainly happening in two directions: legal drafting of policies and technical protection measures. What falls between them is the most important step - understanding exactly where personal data lives inside the company.

The record of processing activities - one of the key documentary requirements of GDPR - is treated as a formality for the regulator. In practice it is the first useful instrument a company creates for managing its own data.

What happens without an inventory

When I ask "where in your company is customer personal data stored", the answer almost always starts with the CRM. Then someone remembers the email service. Then the website database. Then someone says "there is also a file in SharePoint from that competition we ran". Then it turns out the sales team maintains a Google Sheets spreadsheet with access shared between several people, not synchronised with anything.

In the end it emerges that personal data lives in 8 to 12 places, including several that the IT department knew nothing about. This is not unusual - it is normal for mid-sized companies.

Without this knowledge, any technical protection measure is incomplete, any policy is inaccurate, and any data deletion request ("right to erasure") is technically unenforceable - simply because nobody knows where to look.

How to do the inventory properly

The task is not to survey the IT department. The task is to survey business units - because data is most often created and stored there, while IT only supports part of the infrastructure.

A useful structure for each identified data flow:

• What categories of data (contacts, financial information, purchase history, etc.)
• Where the data comes from (website form, phone call, contract, etc.)
• Where it is physically stored (system, database, file, cloud service)
• Who has access
• How long it is stored and what happens afterwards
• Whether it is transferred to third parties (contractors, platforms, etc.)

For each flow it is also necessary to understand the legal basis for processing. GDPR requires a justification for each processing activity: consent, contract performance, legitimate interest or another ground.

The operational value of this work

Companies that have gone through a proper data inventory typically discover several additional benefits.

First - redundant copies of data that nobody uses but that create risk. These can be deleted.

Second - data that is stored longer than necessary. Often nobody has simply configured automatic deletion.

Third - access rights that are no longer current. Former employees, contractors who finished their engagement.

This is not just GDPR. It is normal data management hygiene that reduces operational risk regardless of regulatory requirements.

What to do before 25 May

A practical minimum for a company that has not yet started:

1. Run a session with each department asking one question: what data about people do you collect and where is it stored?
2. Consolidate the results in a single register - even a simple spreadsheet.
3. For each data flow, identify the legal basis and retention period.
4. Identify cases that clearly do not meet requirements and prioritise them.

Full compliance in a few months is not realistic for most companies. But understanding where you stand is where any sensible work begins.