Personal Data Inventory

This question asks whether you have a written record of all the types of personal information your service collects and stores. It's like having a map of where all customer data lives in your systems - what you collect (names, emails, addresses), where it's stored, who can access it, and how it flows through your company. You can't protect what you don't know you have.

Without a data inventory, you can't comply with deletion requests, assess breach impact, or answer customer privacy questions - leading to fines and failed audits. Companies with comprehensive data inventories reduce compliance costs by 50% and respond to incidents 75% faster. This documentation is the foundation of any privacy program and is specifically required by GDPR Article 30.

Most companies document obvious data like names and emails but miss hidden personal data in logs, analytics, support tickets, and backups. Another mistake is creating a one-time inventory instead of maintaining it as systems evolve and new data types are collected.