Data inventory

A data inventory is the foundational artifact of privacy compliance. Before an organization can honor data subject rights, manage consent, or assess regulatory risk, it needs an accurate answer to a deceptively simple question: what data do we actually have, and where is it?

In practice, data inventories are difficult to build and harder to maintain. Enterprises typically hold personal data in dozens or hundreds of systems: CRMs, marketing platforms, data warehouses, customer support tools, internal databases, cloud storage, email archives, and the data sent to third-party processors. New data sources are added faster than manual inventories can track them.

For privacy compliance, the data inventory must capture more than location: it needs to document the data's sensitivity classification, the lawful basis for holding it, the retention schedule, and any relevant consent or restriction signals. A data inventory that answers 'where is this data?' but not 'am I allowed to use it?' addresses only half the governance problem. The latter question, increasingly central to AI governance, requires inventory data to be connected to permission data.