What is a data asset inventory?

Similar to cybersecurity, you must know your data asset inventory before you can secure and protect the personal information held by your organization. It also serves as the cornerstone of a good privacy compliance program.

• The purpose of a data asset inventory is to create a structured inventory of an organization's data holdings, including both structured (in a database) and unstructured (on a network shared drive, email, etc.) data.
• It typically includes details such as the name of the data asset, its description, location, storage medium, owner or custodian, data format, data source, and relevant metadata.
• Conducting a data asset inventory also allows you to determine the purpose for collecting the personal information, understanding how it’s collected and who it is (or will be) shared with.
• All of those items combined give you the data lifecycle, which can be mapped out in visual format for easier understanding of data lifecycle for personal data collected by an organization.

Why is this important?

• A well-maintained data asset inventory provides a clear understanding of an organization's data landscape, facilitates effective data governance, helps identify data dependencies, supports data management and compliance efforts, and enables better decision-making related to data initiatives, data privacy, data security, and data lifecycle management.

Definitions

• Data asset inventory - a record or catalog that documents and describes the data assets -- including personal information -- held by an organization. It is simply a list, spreadsheet, or database that provides information about the data elements, datasets, databases, files, or any other data resources maintained within an organization.
• Data lifecycle – is a map of personal data, usually by creating a flow-chart, that documents the path data takes as it flows through the organization. Typically, it will include:
  • Collection (source of the data),
  • Storage (where data is kept – physically/virtually and country/jurisdiction, as well as encryption status),
  • Permissions attached to the data.
  • Usage (who uses and has access to it),
  • Sharing (who the data is shared with), and
  • Destruction plans and documentation.

Who does this?

• The roles and individuals responsible for documenting an organization's data asset inventory will vary based on the size, sophistication, and structure of the organization.
• Large organizations may have resources to establish a Data Governance Team that is responsible for establishing and enforcing data governance policies and procedures within the organization. They may oversee the development and maintenance of the data asset inventory as part of their broader data governance activities. Larger organizations may also have Data Stewards. They are individuals responsible for ensuring the proper management, quality, and use of specific data assets within the organization. They may contribute to the documentation process by providing detailed information about the data assets they steward.
• Depending on the size of the organization and its regulatory requirements, there could also be a Compliance Team. These teams focus on data security, privacy, and compliance with relevant regulations. They may contribute to the data asset inventory by documenting the classification, security requirements, and regulatory implications of the data assets.
• Most organizations, especially small businesses, will not have the resources for governance team and data stewards, or a full-time compliance team. Therefore, the responsibility for documenting the data asset inventory falls upon a single person or several individuals from different teams. Typically, those teams or persons that will create the inventory are from the IT Department and the Business Unit / Data Owners. Folks from these teams will collaborate to ensure accurate documentation of the data asset inventory.
  • For the organizations that lack some of these resources should consider implementing policies and processes to identify operational accountability to document the data asset inventory.
• Most importantly, an organization must establish clear roles and responsibilities for documenting and maintaining the data asset inventory within the organization. Additionally, who is involved in the process is less important than making sure that there is an owner assigned that understands their responsibilities regarding the documentation of the data asset inventory.

Example:

Here is an example of a simple data asset inventory sheet, that can be created using Sheets/Excel:

What is a Privacy Notice?

Creating a privacy notice is like drafting instructions to tell people how their personal information will be used, stored, shared and protected by your website or service.  It helps people understand what will happen to their information once they share it with you.  Additionally, it serves as a go-to place for contact details if people have questions or concerns.

So, do I need a Notice or Policy, or both?

The short answer is BOTH. A Notice is the EXTERNALLY facing document, usually directed towards your customers and the Policy is the INTERNALLY facing document, directed towards employees. This guide is focused on the externally facing Notice.

• Notice and Policy Definitions:
  • What is a Notice? A privacy notice is a legal document that outlines how an organization or website collects, uses, shares, and protects the personal information of its users or customers.
  • What is a Policy? A privacy policy is a legal document that outlines how an organization collects, uses, shares, and protects the personal information of employees.
• Why do I need this?
  • A privacy notice is a critical tool for not only complying with legal requirements, but also and more importantly, to inform individuals about the company's data practices, therefore building trust by being transparent with customers.
    • There are several reasons why a notice is important, including:
      • Most laws, abroad and in the US, including every state law passed so far, require one.
      • Builds transparency and trust between your organization and your customers.
      • Empowers individuals to make informed decisions about sharing their information.
      • Mobile app stores require them before publishing your company app.
      • Demonstrates you take privacy and security seriously.
      • Outlines measures the company takes to protect personal information.
      • Establishes the company’s accountability and liability for handling personal information.
      • Describes and data sharing with third parties.

Creating a Privacy Policy

While there is no "one-size-fits-all" approach to writing a privacy notice, these notices generally include several key sections, including:

• What personal information is processed?
• How is personal Information being used?
• Is personal information being sold or shared?
• Is data being disclosed to 3rd parties?
• What are the consumer’s data protection rights, and how can they be exercised?
• Will personal data be transferred to the United States?
• How is personal data being stored?
• How is personal Information kept secure?
• Is the data of a minor being collected?
• Contact Information

In Indiana, the Indiana Consumer Data Protection Law mandates the contents of a privacy notice.  According to this law, privacy notices should address:

• Categories of Personal Data Processed: Outline what types of personal data the controller is managing.
• Purpose for Processing Personal Data: Explain why the data is being collected and used.
• Consumer Rights: Inform consumers about their rights under IC 24-15-3 and the process of appealing a controller's decision.
• Data Sharing with Third Parties: If applicable, describe the types of data shared with third parties and list these entities.
• Categories of Third Parties: Name the categories of third parties with whom the personal data is shared.

Comparing these requirements, you will see notable similarities between the structure of privacy notices and the specifications laid out by Indiana law.

LEGAL ASSISTANCE

Whether you choose to draft your own privacy notice, or use a tool for assistance, consider consulting a legal professional or privacy expert to verify the adequacy of your privacy notice and ensure it aligns with applicable laws.

In Indiana, there are privacy rules and regulations that businesses and local government should be aware of (and consider discussing with your IT department). Here are some key laws and regulations:

1. Indiana Data Breach Notification Law (Indiana Code 24-4.9): This law requires businesses that experience a data breach containing personal information to notify affected individuals and the Attorney General’s office under certain circumstances.
2. Indiana enacted a comprehensive privacy law that goes into effect in January 2026.

Here is a link to the Indiana data breach notification form.

There are many privacy and cybersecurity laws and regulations that may be relevant to your business. Determining the answers to these questions should help determine other laws and regulations that may apply, including:

• What type of data does the business collect and store (contact information, health, financial)?
• Where is the business headquartered or registered?
• Where are business customers located (local, state, federal, international)?
• Do you transfer data across national borders? If yes, which countries are involved?
• Do you share data with third-party vendors or service providers? If yes, which countries are these vendors based in? Do the contracts with those vendors and service providers include appropriate data protection language?
• Do you offer goods or services to individuals located in the European Union or United Kingdom?

Here's some additional best practices for privacy:

• Obtain User/Customer Consent: When collecting and processing user data, obtain explicit consent for data collection and use required by applicable privacy laws including an option to opt out or control data use preferences.
• Data Retention: Retain user data only for as long as necessary to fulfill the purpose for which it was collected. Regularly review and delete outdated or unnecessary data to minimize privacy risks.
• Cookies and Tracking Technologies: Adhere to best practices and legal requirements regarding the use of cookies or similar tracking technologies on your organization's website or mobile applications. Provide clear information about the types of cookies used and obtain user consent where required.
• Privacy Impact Assessment: Conduct a privacy impact assessment to identify and evaluate potential privacy risks associated with your data processing activities. This assessment helps ensure compliance with legal requirements and enables you to implement appropriate safeguards.
• Data Security Measures: Implement technical and organizational measures to protect the security and confidentiality of user data. This includes measures such as encryption, access controls, regular system updates, and employee training on data protection best practices.
• Data Subject Requests: Establish processes to handle data subject requests, such as requests for access, correction, or deletion of personal data. Respond to these requests promptly and provide a transparent process for users to exercise their privacy rights.
• Data Breach Response: Prepare a data breach response plan that outlines the steps to be taken in the event of a data breach. This includes notifying affected individuals, authorities, and taking necessary actions to mitigate the impact of the breach.
• Privacy Notice and Policy: Regularly update or create your public-facing Privacy Notice and internal Privacy Policy. These documents should clearly communicate your data collection practices, how user data is used, and the rights and choices available to users.
• Vendor/Sub-processor Agreements: Review and update agreements with vendors or sub-processors to include privacy provisions. Ensure that they handle user data in compliance with applicable privacy laws and provide sufficient data protection measures.
• Map Business Processes: Understand and map your business processes to identify where user data is collected, stored, and shared. This helps to assess privacy risks and implement appropriate safeguards.
• Website Updates: Update your external Privacy Notice, Cookie Policy, and banners (if applicable) to reflect your current data collection and processing practices. Clearly inform users about how their data is used and provide options for managing their preferences.
• Use Encryption, Tokenization, or Anonymization: Whenever possible, use encryption, tokenization, or anonymization to protect your data. For example, look for services that use end-to-end encryption, especially for messaging and file-sharing.

By following these additional privacy practices, you can enhance your privacy measures and demonstrate a commitment to protecting user data.

• Basics and definitions
  • Cybersecurity is an important aspect of protecting data privacy; it is the process of protecting networks, devices, and data from unlawful access or criminal use and the practice of guaranteeing confidentiality, integrity, and availability of information.
  • NICSS acronyms and glossary
  • NIST glossary
• Why is this important?
  • Cyberattacks continue to increase in number and sophistication, including phishing, social engineering, ransomware, malware and other blunt force attacks.
  • Organizations that suffer cybersecurity breaches may face significant costs including reparations to each affected individual, government fines and penalties, and reputational damage.
  • Robust cybersecurity measures help organizations bolster defenses to help protect themselves from experiencing a cyber incident or a cyberattack, whether by theft or loss.
  • New regulations and reporting requirements make cybersecurity risk oversight a challenge. Leaders need assurance from management that its cyber risk strategies will reduce the risk of attacks and limit financial and operational impacts.
• How do data privacy, cybersecurity and physical security intersect?

• Cybersecurity 101 resources: A "Must Read" for Your Information Technology Staff
  • The Center for Internet Security (CIS) is a nonprofit responsible for the CIS Critical Security Controls and CIS Benchmarks.
    • These are globally recognized practices for securing IT systems and data.
    • At minimum, ensure your organization continually adheres to the latest version of the CIS Controls.
    • These are prioritized and simplified best practices.
    • The Global Cyber Alliance (GCA) creates and equips communities to deliver a more trustworthy Internet for all. Checkout GCA toolkits for small business, nonprofits, elections officials and more.
    • Healthcare Cyber in a Box 2.1 provides hospitals and healthcare providers and organizations with three levels of expert guidance – basic, intermediate, and mature – involving 23 critical areas of cybersecurity – as a FREE to download resource for keeping your operations secure while, at the same time, helping to protect your patients and preserving both their digital, as well as physical, well-being.
• Key Cybersecurity Policies - across all types of organizations, which present the highest risk to most. Focus on those and those that all employees should sign, including:
  • Acceptable Use
  • Use of Removable Media
  • Cloud File Storage
  • Remote Access
• Example of an action plan
  • Incident Planning and Management (see Apocalypse Now)

Learn more about Privacy Regulations

• GDPR (General Data Protection Regulation) is a European Union regulation on information privacy in the European Union and and the European Economic Area.
  • The general data protection regulation - Consilium (europa.eu)
• CCPA (California Consumer Privacy Act)
  • https://oag.ca.gov/privacy/ccpa/regs#:~:text=The%20CCPA%20regulations%20govern%20compliance,as%20it%20relates%20to%20minors
• PIPEDA (Canada) - The Personal Information Protection and Electronic Documents Act is a Canadian Law relating to data privacy.
• https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/
• LGPD (Brazil) - Brazilian General Data Protection Law - It is Brazil's first comprehensive data protection regulation, and it broadly aligns with the EU General Data Protection Act (GDPR).
  • https://lgpd-brazil.info/

If some of this seems a little overwhelming with where to start, another option (that is highly recommended) to consider is for the IT Team to adhere to the CIS Controls.

At a time when cyber breaches are happening frequently to many organizations, it can be helpful use the information that is available from trusted sources, such as CISA, to stay better protected.

Source: 2023 Verizon Data Breach Investigation Report

A Security Incident Could Be in Your Future

More Than a Phase: Incident Response Plans Involves Five Critical Steps

Phase One - Plan, Prepare and Be Ready

• Know Your Organization and Who You’re Accountable To
  • Local government
  • Small business
  • Nonprofit
• Know your apps, systems, data, components, and secure them
• Identify and codify who will help in an incident before it happens
• Author and announce incident response policies
• Write and exercise incident response plans
• Determine who you must communicate with
• Train people on what to report, to whom, and how

Phase Two - Identify and Report

• Teammates are trained to inform you of breach indications.
• Report analyzed incidents and events to those who can help.
• Inform your regulators according to their requirements.

Phase Three - Assess and Analyze

Determine

• What happened and when did it occur.
• Source and targets of attack.
• Data, applications, systems, and components that may have been compromised.
• Whether the attack is continuing.
• What must be done to defend, recover, and reconstitute.

Phase Four - Update and Recommend

Inform the following groups of the information from the Assess and Analyze slide, as necessary.

• Organizational leadership.
• Customers—what happened, impact to them, and actions they should take.
• Regulators

Phase Five - Defend, Recover and Reconstitute

Contact internal, contracted, state, and federal incident response partners to help.

• Fail over to disaster recovery sites if possible.
• Defend against and stop continuing attacks.
• Develop and execute recovery and reconstitution plans.
• Formulate communications with employees, customers, and others.
• Collaborate with federal agencies on investigations, if necessary.

In the Event…

• Cyber incidents and cyberattacks never happens the way you planned for it.
• Be sure to use your incident response plan and lessons learned from exercises.
• Be flexible!

Guidance for Local Government:

1. Data Protection and Privacy Laws: Local governments must comply with relevant data protection and privacy laws specific to their jurisdiction. These laws may impose obligations on government entities to protect sensitive data, implement security measures, and notify individuals in the event of a data breach.

2. Breach Notification Requirements: Depending on the jurisdiction, local governments may be required to notify affected individuals, regulatory authorities, or other relevant stakeholders following a data breach or loss. The specific notification timelines, content, and procedures can vary, so it's important to consult the applicable laws and regulations.

3. Record Retention and Destruction Policies: Local governments often have regulations outlining record retention and destruction requirements. It's crucial to establish appropriate policies and procedures for the retention, storage, and disposal of data to mitigate the risk of data breaches and ensure compliance with these regulations.

4. Compliance with Industry-Specific Standards: Local governments may need to adhere to industry-specific standards or frameworks pertaining to data security and privacy. For example, in the United States, the National Institute of Standards and Technology (NIST) provides guidelines and frameworks, such as the NIST Cybersecurity Framework, which can help inform best practices for data protection and incident response.

Small Business:

1. General Data Protection Regulation (GDPR): If a Small operates within the European Union or handles personal data of EU citizens, compliance with the GDPR is crucial. The GDPR enforces obligations on organizations to safeguard personal data, inform relevant supervisory authorities and affected individuals in case of a data breach, and implement appropriate security measures.

2. California Consumer Privacy Act (CCPA): If a small business collects personal information from California residents and meets certain criteria, you may need to comply with the CCPA. It requires providing specific notices to affected individuals in the event of a data breach.

3. Health Insurance Portability and Accountability Act (HIPAA): If a small business deals with protected health information (PHI) in the healthcare industry, you must comply with HIPAA regulations. HIPAA necessitates reporting data breaches to affected individuals, the U.S. Department of Health and Human Services (HHS), and in certain cases, the news media.

4. Payment Card Industry Data Security Standard (PCI DSS): If a small business accepts credit card payments, you must comply with PCI DSS requirements. PCI DSS includes guidelines for securing cardholder data, detecting and responding to breaches, and notifying payment card brands and individuals affected by a breach.

Non-Profit Organizations:

1. General Data Protection Regulation (GDPR): If a nonprofit operates within the European Union or handles personal data of EU citizens, compliance with the GDPR is crucial. The GDPR enforces obligations on organizations to safeguard personal data, inform relevant supervisory authorities and affected individuals in case of a data breach, and implement appropriate security measures.

2. Data Breach Notification Laws: Nonprofits must adhere to data breach notification laws specific to their jurisdiction. These laws typically demand organizations to swiftly notify affected individuals, regulatory authorities, and sometimes even the media about data breaches. The notification requirements may differ in terms of timing, content, and the specific circumstances that trigger the obligation to notify.

3. State or Provincial Privacy Laws: Nonprofits operating within particular states or provinces must follow specific privacy laws that outline requirements regarding data breaches or losses. These laws may include provisions for reporting breaches, informing affected individuals, and implementing security measures to protect personal information.

4. Nonprofit-Specific Regulations: Depending on a nonprofit's mission, activities, or funding sources, there could be particular regulations or standards applicable to the organization. For instance, nonprofits in the healthcare sector might need to comply with the Health Insurance Portability and Accountability Act (HIPAA), which includes breach notification requirements for protected health information (PHI).

Gotta Have a Plan and Take Time to Practice

One of the best ways to measure the effectiveness of a plan, once it's developed, is to conduct an exercise (and routinely practice) as a solution for achieving the best outcome for your business or organization. The following are some (free to download) examples, from trusted sources, that can help, including:

• Incident Planning and Incident Response Policy Template (SANS Institute)
• Cyber Incident Response Plan Template (State of Indiana Cyber Hub)
  • Practice your plan.
  • Be sure to include rules and regulations that might apply in the event of a data incident.
  • Don’t forget your regulators.