Personal Data Inventory Sheet
- Assign one owner plus a backup before filling cells.
- Link each row to a system name—not a vague team name.
- Attach evidence (ticket IDs, screenshots policy) for audits later.
- Revisit quarterly or when vendors and flows change.
See also: Compliance portal · Official resources · Guides index
Use this sheet to build a living map of where personal data enters your business, where it sits, who can touch it, and what should happen when deletion, access, or vendor questions come up.
Best owner
Usually an ops lead, founder, or compliance-minded systems owner.
- Ask engineering to validate storage locations and integrations
- Ask support to add forgotten ticketing or export workflows
- Ask growth to add form and CRM tools
- Review again after major product or vendor changes
How to use this sheet
- Start with workflows, not policy documents.
- Add one row per system, tool, or recurring manual process.
- Note what data enters, who owns it, and what vendor or subprocessors touch it.
- Mark unknown areas clearly instead of pretending they are solved.
Suggested columns
- System or workflow name
- Entry point or collection source
- Data categories involved
- Business purpose
- Internal owner or team
- Vendors involved
- Access scope
- Retention or deletion notes
- Related rights-handling impact
- Open risk or follow-up action
Good prompts while filling it out
- Does this system hold data that never appears in the main product database?
- Would support, product, or engineering know this system exists during a deletion request?
- Does the current notice or consent explanation reflect this use?
- What breaks if the vendor changes, exports data, or keeps records longer than expected?
This sheet becomes much more useful when it is linked to rights handling, notice review, and retention review instead of living alone in a folder.