Operator scenario

How a Marketing Agency Built Its First Data Inventory

Operator scenario — agency

Situation

A 22-person digital marketing agency was preparing a response to a client procurement questionnaire that asked about their data handling practices. The questions included: what customer data do you collect, where is it stored, who has access to it, and do you have a documented retention policy.

The agency handled client customer data routinely — campaign analytics, email lists, CRM data — but had never documented their practices formally. Different team members had different answers to the same questions. No single document described what was true across the organization.

What they did

The operations lead worked through the Data Privacy Baseline Workflow. The context step established the scope: digital agency, primarily B2C clients, handling email lists, advertising analytics, and some transactional data. The data inventory step produced a structured document listing every category of data the agency handled, the tools that stored or processed it, the retention period for each category, and who within the agency had access.

The risk review step identified two areas where practices were inconsistent: retention periods were undefined for two categories of data, and one third-party analytics tool in use for a client had never been reviewed for its own data practices.

What they produced

A data inventory document and a draft data handling policy. The policy was reviewed by the agency's attorney before being finalized. The inventory became the basis for their ongoing vendor review process.

Composite scenario. Does not represent a specific organization.

← Back to case studies

Do Not Sell My Data