Personal data inventory
- One row per system or dataset until technical reality matches stakeholder mental models.
- Inventory feeds notices, retention, and vendor review—update after material product or stack changes.
- Use with mapping guide and vendor checklist.
This sheet helps product, engineering, and privacy teams agree on what exists before you rewrite notices or retention rules. It complements a processing register but stays closer to technical reality (systems and data stores).
| Field | Fill in |
|---|---|
| System / product name | |
| Environment (prod / staging / internal) | |
| Personal data categories | |
| Data subjects (customers, employees, vendors, …) | |
| Purposes of processing | |
| Collection sources (direct, third party, …) | |
| Legal basis narrative (for counsel review) | |
| Recipients & subprocessors with access | |
| Cross-border transfers? (Y/N + countries) | |
| Retention period or deletion trigger | |
| Security controls (high level) | |
| Business owner | |
| Technical owner | |
| Last reviewed |
Tip: For multiple systems, copy the blank row set or add rows below in your spreadsheet export.