The first step toward the effective management of personal data assets is to create a personal data

inventory, which is a comprehensive list of the personal data that an organization collects, processes,

stores, transfers, and disposes of. A personal data inventory helps an organization to understand the

types, sources, locations, owners, purposes, and retention periods of the personal data it holds, as

well as the risks and obligations associated with them. A personal data inventory is essential for

complying with data privacy laws and regulations, such as the GDPR or the PDPA, which require

organizations to implement data protection principles and practices, such as obtaining consent,

providing notice, ensuring data quality and security, respecting data subject rights, and reporting

data breaches. A personal data inventory also helps an organization to identify and mitigate data

privacy risks and gaps, and to implement data minimization and data security controls.

Reference:

ISACA, Data Privacy Audit/Assurance Program, Control Objective 3: Data Inventory and

Classification1

ISACA, Simplify and Contextualize Your Data Classification Efforts2

PDPC, Managing Personal Data3

PDPC, PDPA Assessment Tool for Organisations4