Data inventory / RoPA maintained
Demonstrate that the organization maintains an accurate, complete, and current inventory of all personal data processing activities with documentation sufficient to meet regulatory record-keeping requirements.
Description
What this control does
This control requires organizations to maintain a comprehensive, current inventory of all personal data processing activities, typically documented in a Record of Processing Activities (RoPA) as mandated by GDPR Article 30 and similar privacy regulations. The inventory identifies what data is collected, from whom, for what purposes, where it is stored, who it is shared with, retention periods, and security measures applied. This living document enables the organization to understand its data footprint, assess privacy risks, respond to data subject requests, and demonstrate regulatory compliance during audits or investigations.
Control objective
What auditing this proves
Demonstrate that the organization maintains an accurate, complete, and current inventory of all personal data processing activities with documentation sufficient to meet regulatory record-keeping requirements.
Associated risks
Risks this control addresses
- Unauthorized or forgotten data processing activities continue undetected, creating unmanaged privacy and security exposure
- Organization fails to respond accurately to data subject access requests (DSARs) because data locations and purposes are unknown
- Regulatory fines or enforcement actions result from inability to produce required records during supervisory authority inspections
- Excessive data retention occurs because retention schedules are not mapped to specific processing activities
- Third-party data sharing or cross-border transfers violate legal requirements due to lack of visibility
- Incident response and breach notification efforts are delayed or incomplete because affected data cannot be quickly identified
- Merger, acquisition, or system migration activities fail to account for all data assets, leading to data loss or compliance gaps
Testing procedure
How an auditor verifies this control
- Request the current data inventory or RoPA documentation from the privacy or compliance team, noting the last update date
- Review the inventory structure to verify it includes all required elements: data categories, processing purposes, legal bases, data subjects, recipients, storage locations, retention periods, and security measures
- Select a sample of 5-7 business processes or systems from different departments (HR, marketing, sales, IT) and trace each to corresponding RoPA entries
- Interview process owners and data custodians for sampled systems to verify the accuracy of documented data types, purposes, and retention periods against actual practice
- Cross-reference the RoPA against system inventory, vendor contracts, and data flow diagrams to identify any processing activities not documented in the inventory
- Review change management records and project documentation from the past 12 months to identify new systems or processes, then verify they are reflected in the RoPA
- Examine evidence of periodic RoPA review and update procedures, including assigned responsibilities, review frequency, and sign-off records
- Test the organization's ability to query the inventory by requesting a list of all systems processing a specific data category (e.g., health information) or sharing data with third parties in a specific jurisdiction
Where this control is tested