Organizational Memory
Privacy card, MethodKit for Memory & Reminiscence
Card 46 of 66 · MethodKit for Memory & Reminiscence
  • ThemeGovernance, Legal & Risk
  • CardCard 46 of 66
  • Questions5 to explore
Governance, Legal & Risk

Privacy

Data collected & stored about users

How your organization collects, stores, and uses personal data is a legal obligation in most jurisdictions and a trust question in all of them.

Privacy documentation often exists because regulation requires it, but the underlying work is also useful for practical reasons. Knowing what data you hold, where it lives, who can access it, and how long you keep it is the starting point for responding to a data breach, a regulatory inquiry, or a customer asking to see what you hold about them.

For most small organizations the documentation set is manageable: a privacy policy for external use, a record of processing activities for internal use, an assessment of which third parties you share data with, and a clear picture of where personal data is actually stored. The gap is usually not in the policies but in the audit of what data the organization actually holds in practice versus what it thinks it holds.

Data retention is one of the most commonly skipped parts: most organizations collect data indefinitely by default, which creates compliance risk and practical clutter. Deciding what to keep and for how long is a real decision worth making explicitly.

What to capture

For this part of the company brain, what is worth writing down and keeping current. The goal is not a complete archive but a living record that new people can read and returning people can trust.

Data inventory

What categories of personal data the organization collects, where it is stored, the legal basis for processing it, and how long it is kept.

Third-party processors

Which tools and vendors process personal data on the organization's behalf, and whether data processing agreements are in place.

Individual rights process

How the organization handles requests from individuals to access, correct, or delete their data, including who is responsible and how long it takes.

Breach response

The steps the organization would take if a data breach occurred, including notification timelines and who is responsible for each action.

Questions to explore

Use these on your own or in a group. There are no right answers, only better conversations.

  1. What personal data does the organization actually hold, and where does each category live?

  2. For every tool or service that processes personal data, is there a data processing agreement in place?

  3. How would someone in the organization know if a data breach had occurred?

  4. What happens to customer or user data when a contract ends?

  5. When did you last review your privacy policy against what the organization actually does with data?

Things to notice

  • Many organizations comply with the external-facing privacy policy but have not mapped internal processes, so the policy describes what they intend but not what they actually do.
  • Third-party tools that ingest personal data are sometimes added without going through any privacy review, so the inventory drifts out of date continuously.
  • Data that is kept because deleting it feels risky or inconvenient accumulates into a liability rather than an asset, especially if it is breached.