Many organisations have undertaken information audits to gain an insight to this highly valuable corporate asset. This is particularly the case for those who will be governed by the EU General Data Protection Regulation, and associated local data protection law, where there are increased obligations to maintain documentary evidence of processing activities. However, there are of course many drivers for understanding the information assets maintained and used within an organisation, their characteristics, their value and the risks associated with them.
Whether in a spreadsheet form or (ideally) a database, an Information Asset Register (IAR) is used to record the inventory. This article explores (in no particular order of importance) 25 potentially beneficial outcomes from populating, maintaining and interrogating an IAR.
1. Understanding Asset Relationships: A related series of records sharing the same purpose (an “asset collection” if you will) might have a variety of constituent entities (“assets”) in different formats – e.g. physical records, digital content, system data. Identifying these within an IAR, with a suitable narrative recorded, will enable an understanding of their relationships and purpose over time. This could include for example recording the “story” of how paper originals and resulting images have been handled within a document scanning process, or the retirement and introduction of systems to store particular data sets.
Allied to this is tagging assets to a business classification scheme of the functions and activities of your organisation. This allows the assets to be categorised to a vocabulary of business activity that is neutral to and more stable than organisational structures (which can change more often than what an organisation actually does), provides a collated corporate view of assets maintained based upon their purpose (for example many departments will hold invoice, staff, policy and contract records) and identifies assets related to cross-cutting processes involving different teams. It also allows the consistent inheritance and application of business rules, such as retention policies.
2. Security Classification: Assets can be classified within the IAR to an approved security classification / protective marking scheme, with current protective measures recorded, in order to identify if there are in any risks relating to the handling of confidential personal or commercially sensitive information. You can assess that assets are handled, stored, transferred and disposed of in an appropriate manner.
3. Personal Data: Specifically, you can identify confidential personal information to ensure that data protection and privacy obligations are met.
For example, the GDPR contains many obligations that require a thorough understanding of what personal data you process and how and why you do so. Many requirements for keeping records as a data controller for GDPR Article 30 can be supported by the information asset inventory. For example, the asset attributes can describe the purposes of the processing, the categories of data subjects and personal data, categories of recipients, relevant transfers, envisaged time limits for erasure of the different categories of data and a general description of the technical and organisational security measures.
It will also help data processors keep a record of the categories of processing, transfers of personal data to a third country or an international organisation and a general description of the technical and organisational security measures.
Much of the information about personal data required for Article 30 compliance is also useful to meet obligations under Article 13 and Article 14 on information to be provided, for example via privacy notices or consent forms.
Under Chapter 3 of the GDPR, data subjects have a number of rights. Understanding things like the location, format, use of and lawful basis of processing for different categories of personal data will provide insights to support responses to rights and requests.
Under Article 25 of the GDPR there are requirements for Data Protection by design and by default. Additionally, under Article 35 there are requirements relating to Data Protection impact assessments. The inventory can provide insight to which processes and systems need to be assessed based upon for example the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing.
As aforementioned, it is important to identify who personal data is shared with. The inventory can support this as well as specifically enable monitoring of the existence or status of suitable agreements. For example, under Article 28 of the GDPR processing by a processor shall be governed by a contract or other legal act under Union or Member State law.
Article 32 of the GDPR covers security of processing, with requirements to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Using the inventory, you can assess the security measures in place for assets against their level of confidentiality. It also can help with identifying the data sets where, if anything unfortunate were to happen, there are considerations regarding Article 33 Notification of a personal data breach to the supervisory authority and Article 34 Communication of a personal data breach to the data subject.
4. Ownership: An IAR delivers the ability to know: Who owns what? This includes understanding ownership both in terms of corporate accountability and ownership of the actual information itself. You could also record who administers an asset on a day-to-day basis if this is different.
If based on suitable technology, designated Information Asset Owners can keep their assets up to date within the IAR, record ongoing business events and engage directly with responsibilities for security, retention, disposal etc. Fundamentally they have within the register described the “real world” stuff they handle, so this could lead to more meaningful interaction than with more generic descriptions of record types in policy documents.
5. Business Continuity: An organisation will have vital / business critical records that are necessary for it to continue to operate in the event of a disaster. They include those records which are required to recreate the organisation’s legal and financial status, to preserve its rights, and to ensure that it can continue to fulfil its obligations to its stakeholders. Assets can be classified within the IAR to an approved criticality classification scheme, with current protective measures recorded, in order to assess whether they are stored and protected in a suitable manner and identify if there are in any risks relating to business critical (“vital record”) information. You can also identify the Recovery Point Objective (RPO) and Recovery Time Objective (RTO) for assets to support a disaster recovery or data protection plan.
6. Originality: You can identify whether an asset is original or a copy, ascertaining its relative importance and supporting decisions on removing duplication and the optimisation of business processes.
7. Heritage: You can identify records of enduring historical importance that can be transferred at some stage to the custody of a corporate or third party archive.
8. Formats: An IAR delivers the ability to understand the formats used for information, supporting decisions on digital preservation or migration.
9. Space Planning: In order to support office moves and changes, data can be gathered for physical assets relating to their volume, footprint, rate of accumulation, use, filing methods etc.
10. Subject Matter: If assets are tagged to a business classification scheme of functions and activities, as well potentially to a keyword list, the organisation can understand the “spread” of record types (e.g. who holds personnel, financial, contractual records) and/or “discover” resources for knowledge management or eDiscovery purposes.
11. Archive Management: You can use an IAR to understand what physical records (paper, samples, backup tapes etc.) are archived, where and when; this might for example identify risks in specific locations or issues with the regularity of archiving processes. The organisation can also understand its utilisation of third party archive storage vendors – potentially supporting decisions on contract management / consolidation – and maintain their own future-proof inventory of archive holdings. Archive transactions can be recorded if there is no system to otherwise do so.
12. Location: The “location” of an asset can of course be virtual or physical. This (together with other questions relating to for example security measures) is important to ensure that information assets are suitably protected. It also helps in the planning of IT systems and physical filing / archiving services. The benefits for archive management are explored above and for maintaining a system catalogue below. Other examples might be to identify physical records to gather when doing an office sweep following vacation of a floor or building, or what assets are held in the cloud, or asset types within a given jurisdiction. It would also be a further method to support the “discovery” of resources for knowledge management or eDiscovery purposes.
13. Retention: An IAR can be used both to link assets with approved records retention policies and understand the policies and methods currently applied within the organisation, therefore identifying queries, risks and issues. The IAR can also be used to maintain the actual policies (across jurisdictions if applicable) and their citations; if a law changes or is enacted, relevant assets can be identified for any process changes to be made. You can track retention policy revisions and the approvals for doing so.
14. Disposal: An IAR can be used both to link assets with approved destruction or transfer policies and understand the processes and methods currently applied within the organisation, therefore identifying queries, risks and issues, particularly for confidential information. Notifications of disposition reviews can be generated based upon review cycles associated with policies. Disposal events / transactions, such as destruction or transfer to historic archive, can be recorded against assets if there is no system to otherwise do so.
15. Source: The source of assets can be identified to understand where information is derived from and better manage the information supply chain. Under article 14 of the GDPR, part of the information the controller shall provide to the data subject to ensure fair and transparent processing includes from which source the personal data originates, and if applicable, whether it came from publicly accessible sources.
16. Rights: The rights held in and over assets can be identified, such as copyright and intellectual property, in order to protect IPR and to avoid infringement of the rights of others.
17. Applications Catalogue: The application systems in use (e.g. content management, front and back office) can be identified and linked to locations, people, activities and of course assets. Licensing and upgrade criteria could also be managed. It would also be possible for example to identify system duplication or the use of homegrown (as opposed to purchased) databases.
18. Condition: Both physical and digital assets can degrade: this can be identified for assets, with conservation / preservation actions taken accordingly.
19. Age: The age of assets can be established, with decisions made on their further retention / disposal, the need for archiving (historic or business) and potentially whether they need to be superseded with newer resources.
20. Record Organisation and Referencing: An understanding can be gained of whether structured systems, schemes and approaches are in place to describe, reference and organise physical and electronic assets, identifying if there are likely to be any issues with the finding information.
21. Utilisation: An understanding can be gained of whether assets are proposed, active, inactive, discontinued / superseded, therefore enabling decisions on their format, storage, disposal etc.
22. Sharing: An IAR can be used to identify how information is shared within and without the organisation, helping ensure that it is available as required, and that suitable security measures and, where applicable, information sharing agreements are in place. This supports compliance with Article 30 of the GDPR as part of the records of processing activities.
23. Provenance: Fundamentally an IAR can provide an accountable audit trail of asset existence and activity, including any changes in ownership and custody of the resource since its creation that are significant for its authenticity, integrity and interpretation.
24. Publications: Information produced for wider publication to an internal or external resource can be identified, including for example the audience for whom the resource is intended or useful, the channels used for distribution and the language(s) of the content, thus facilitating editorial, production and dissemination planning and management.
25. Quality: Observations can be recorded on the quality of assets (e.g. accuracy, completeness, reliability, relevance, consistency across data sources, accessibility), with risks and issues identified and managed.
Thanks for reading.