%20Redacto%20logo_New.png)
How to Create a Data Inventory for GDPR and DPDP: Step-by-Step Guide
A data inventory is one of the first things regulators ask for when auditing your privacy program. Under GDPR's Article 30, it is a formal legal requirement. Under India's DPDP Act, understanding what data you hold is a foundational obligation.
Yet many organizations either have no data inventory or have one that is hopelessly out of date. Here is how to build one that actually holds up.
What Is a Data Inventory?
A data inventory, sometimes called a Record of Processing Activities (RoPA), is a structured document that captures what personal data your organization holds, where it comes from, where it is stored, who has access, and how it is used.
Think of it as a map of your organization's relationship with personal data. Good data discovery and classification is the engine that keeps that map accurate.
Step 1: Identify Your Processing Activities
Start by listing every activity in your organization that involves personal data. Common examples include:
- Collecting customer contact information for sales
- Processing employee payroll data
- Running marketing email campaigns
- Recording customer support interactions
- Sharing data with analytics platforms
For each activity, ask: what personal data is collected, and why?
Step 2: Map Data Sources and Storage Locations
For each processing activity, identify where the data comes from and where it lives. Use a data governance platform or even a structured spreadsheet to record:
- Source of data (web form, app, third party, etc.)
- Storage location (database name, cloud bucket, SaaS tool)
- Whether data is stored in India, the EU, the US, or elsewhere
GDPR data mapping requirements under Article 30 specifically require you to document where data is stored and any international transfers.
Step 3: Document the Legal Basis for Processing
Under GDPR, every processing activity needs a lawful basis. Under DPDP, processing personal data requires consent or a legitimate use. For each entry in your inventory, record:
- The legal basis (consent, contract, legitimate interest, legal obligation, etc.)
- Where consent was captured, if applicable
- Any conditions or restrictions that apply
This step is where many organizations realize they are processing data without a clear lawful basis, which is exactly the kind of gap an audit would surface.
Step 4: Identify Who Has Access
For each data category, document:
- Internal teams with access (HR, marketing, engineering, etc.)
- External vendors or processors who handle the data
- Any sub-processors your vendors use
This feeds directly into your vendor risk management obligations. Under both GDPR and DPDP, you need contracts in place with every vendor who processes personal data on your behalf.
Step 5: Document Retention Periods
For each data type, record how long you keep it and why. Common retention periods include:
- Customer data: duration of relationship plus a defined period after
- Financial records: statutory requirements (typically 6-8 years in India, depending on the specific law - Income Tax Act requires 6 years, Companies Act requires 8 years)
- Marketing data: until consent is withdrawn
- Job applicant data: typically 6-12 months if not hired
Without clear retention schedules, you will inevitably hold data longer than necessary, which increases both privacy risk and storage cost.
Step 6: Note Data Transfers
If personal data leaves your organization or crosses borders, document it. Record:
- Which vendors receive the data
- The country where it is processed
- The transfer mechanism used (standard contractual clauses, adequacy decision, etc.)
DPDP data mapping requirements are still evolving, but building the habit of tracking transfers now puts you ahead of the curve.
Step 7: Keep It Current
A data inventory is only valuable if it stays accurate. Build a process to:
- Update the inventory when new systems or data types are introduced
- Review the full inventory at least annually
- Assign ownership to a specific person or team
Data discovery and classification tools can automate much of the ongoing maintenance by scanning for new data assets and flagging changes.
What a Good Data Inventory Template Covers
A solid data inventory template should capture:
- Processing activity name
- Data controller and processor details
- Categories of data subjects
- Categories of personal data
- Purpose of processing
- Legal basis
- Storage location and retention period
- Recipients and transfers
- Security measures applied
Conclusion
A well-maintained data inventory is both a regulatory requirement and a practical tool. Without it, you are flying blind on privacy compliance.
Redacto's data discovery module automates the scanning, classification, and mapping process, so your data inventory builds itself rather than sitting as a stale spreadsheet. Talk to our team or reach out on WhatsApp to see how it works.
Frequently asked questions
Largely yes. A Record of Processing Activities (RoPA) under GDPR Article 30 is a formal data inventory documenting all processing activities involving personal data.
The DPDP Act does not use the term "data inventory," but its requirements around consent, data minimization, and accountability effectively require organizations to know what data they hold and why.
A data inventory lists what data you hold. Data mapping shows how it moves through your organization. Compliance programs typically need both.
Under Article 30, most organizations with 250 or more employees must maintain a RoPA. Smaller organizations that process high-risk data are also required to do so.
At a minimum, annually. In practice, the inventory should be updated whenever new data types, systems, or vendors are added.
Yes. Data governance software can scan your systems and auto-populate much of the inventory, reducing the manual effort required to maintain it.
Contact Us
.jpg)
