It is always worth bearing in mind that, whether we are aware of the fact or not, the data which our businesses rely on builds up over time. It becomes a sort of inventory even if we don’t plan for it so that inventory has to be organised.

We don’t just do this to achieve GDPR compliance. There’s a whole range of other tangible benefits, too; a good data policy also aids productivity and efficiency, earns customer trust, and allows you to market your services and products in much more focused and effective ways.

It might seem counterintuitive, but those end goals are also an ideal starting point. If you begin building any new data inventory with those goals in mind, it will allow you to form the important questions you need to ask to get it right. Similarly, if you are data mapping existing processes where you feel improvement is needed, it can really help too.

A useful, if unusual guide…

The ‘five bums and a rugby post’ method, despite the unusual name, is a great formula for helping you ask the big questions when it comes to data, and if nothing else, it will certainly stick in your mind.

Imagine five rugby players sitting on the bar of a Rugby post. That’s five ‘w’ shapes and one large ‘H’. Those bums represent five important questions;  Who, What, Where, When and Why?

The rugby post itself (the large ‘H’) represents the final question; How.

How does this apply to data inventory? Let’s look a little closer…


In the context of GDPR, this simply asks whose data you process. It might be clients, patients, employees, and business partners; it’s an important and logical first step.

What data to include in the inventory?

You guessed it, what kinds of data do you hold; is it personal data, for example, or is it sensitive data, it might be anything from information on a fitness device, and search engine queries to bank details and medical records, each is different, and those differences are vital.


Where is your data stored? It might be remotely, you might not realise it could even be outside the EU, or it could be held in email inboxes, filing cabinets or local hard drives. Is it structured in a database, or is it harder to locate?


This is time-based; ask yourself when you or your business collects data, how long you can hold it for, and the time constraints you must work to when dealing with data-related requests.


Why do you hold the data you do? For some, this will be to pay employees and contractors. It will be for marketing, and others, it will be to comply with the law. It may even be a mixed answer.

The answers to all these questions will help you to establish HOW to build and maintain a structured and compliant data inventory, and I can help.

As a Certified Data Protection Officer, I help organisations of every siz0e and scope to achieve compliance, improve efficiency and enjoy the many other benefits of a good data inventory practice. These are the questions that inform important aspects of my work with them.

If you would like to learn more, get in touch, or book a quick chat here.

Try our quiz