Skip to main content

Privacy Management & Data Inventory

L
Written by Lizzie Burns
Updated this week

As part of Vanta’s mission to help businesses earn and prove trust, we’re expanding the platform to support privacy programs. Many organizations are required (especially under regulations like GDPR and other data privacy laws) to maintain a data inventory and a Record of Processing Activities (ROPA). Today, these are often managed in spreadsheets or legacy tools that sit outside of Vanta, leaving a gap between understanding how personal data is used and demonstrating compliance.

Vanta’s Data Inventory features give you a centralized place to describe how your organization processes personal data, track where it’s stored, and understand why it’s collected. By moving this work into Vanta, you can more easily maintain an accurate data inventory and gain clearer visibility into your privacy posture.

To get started:

  • Go to Privacy using the navigation menu in your account.

  • On the Data Inventory page, you can manage your processing activities, see details by vendor, and view your ROPA.

  • On the Settings page, you can manage custom fields for your processing activities.

You need to be on a current Vanta plan and have a privacy framework enabled to use the Data Inventory features. See Plans and Pricing

Data Inventory Page

Location

Description

Processing activities tab

View the processing activities your business performs, search and filter activities, and create or update processing activities.

Processors tab

View the vendors processing data on your behalf, search and filter processors, and see which processing activities each vendor supports.

View ROPA button

View your processing activities in a ROPA-style table and export your ROPA as an Excel file.

Creating Processing Activities

A processing activity describes the specific ways your organization handles personal data—what you collect, why you use it, who is involved, and where it’s stored.

Managing these activities in spreadsheets can make it difficult to maintain accurate records over time. Vanta centralizes this information so you can easily explore how data flows through your organization, identify gaps, and understand your privacy posture through clearer, more actionable views. You can also link impact assessments directly to the processing activities they evaluate, keeping your DPIAs (and other impact assessments) organized and connected to the underlying data in a single place.

Import from ROPA

You can bulk import processing activities from a ROPA spreadsheet (Excel or CSV). This is useful if you currently manage your ROPA outside of Vanta.

To import a ROPA file:

  • On the Data Inventory page, click the arrow next to the Create processing activity button and select Import from ROPA.

  • Click Download the Vanta template to ensure your spreadsheet fields will map nicely to Vanta’s default fields.

  • Add any custom fields you’re using in your spreadsheet in Vanta before importing.

  • When you’re ready, upload your spreadsheet into Vanta and follow the instructions to map your columns.

  • If Vanta identifies formatting issues, update your spreadsheet and re-upload it.

To ensure your ROPA imports smoothly, follow these tips:

  • Map each column in your spreadsheet to the related default fields in Vanta.

  • Create custom fields in Vanta for any columns that don’t exist in Vanta.

  • Use commas to separate multiple values in a cell.

  • Select header rows during import so they aren’t treated as processing activity data.

  • Review warnings for new personal data categories to confirm you want them created in Vanta.

  • Use ISO three-letter country codes for data locations (ex: USA, JPN).

Add Manually

To add a processing activity to your data inventory:

  • From the Processing activities tab, select the Create processing activity button.

  • Fill out the required fields: Processing activity name and Purpose of processing.

  • Fill out Vanta’s default fields or any custom fields you’ve added.

Default and Custom Fields

Vanta provides default fields to help you describe each processing activity. You can also define custom fields for your processing activities.

Default Fields

Only the processing activity name and data processing purpose are required to create a processing activity. All other fields are recommended to help you document additional details as you learn them.

Processing section

Fields

Purpose of processing

  • Processing activity name: Name of the processing activity.

  • Data processing purpose: Reason the processing takes place.

  • Description: Explanation of what the activity does.

  • Categories of individuals: Groups of people whose data you’re processing.

  • Lawful basis: The legal reason for processing the data.

Processor details

  • Vendors that process the data: Third-party processors or systems where the data is stored or handled.

Data processed

  • Data category: Category of personal data being processed.

    • Category of personal data: Type of personal data being processed.

    • Retention schedule: How long the data is kept before it’s deleted.

Data locations

  • Geographic location of data: Countries where the data is stored or processed.

Safeguards and security measures

  • Safeguards for exceptional transfers: Protections applied when data is transferred outside expected jurisdictions.

  • General technical and organizational security measures: Measures in place to protect the data.

Impact assessments

  • Upload impact assessment documents: DPIAs, DTIA documents, or other assessments that evaluate the risks of this activity.

Business ownership

  • Business function: Internal function responsible for the processing activity.

  • Business owner: Vanta user assigned to manage and maintain the processing activity.

Joint controllers

  • Joint controller: Details for any organizations jointly determining the purpose and means of processing, including:

    • Name

    • Description

    • Contact number

    • Contact email

Custom Fields

You can define custom fields for processing activities to capture information that isn’t included in Vanta’s default fields. This helps you maintain extra details that are specific to your organization’s privacy program.

To create a custom field:

  • Under the Privacy section of your account, go to the Settings page.

  • Click the Add field button.

  • Enter a Label and Description to ensure you’re using custom fields consistently.

  • Select the Field type (text, number, date, or multi-select). You can’t edit this selection after creating the field.

  • Choose the Processing section where the field should appear within a processing activity. See processing sections for Vanta’s default fields.

Related Articles
Vanta Security & Privacy Training
Vanta GDPR Training
US Data Privacy
How to Appoint an Article 27 Representative for GDPR
ISO/IEC 27701:2025 - What’s Changing and How to Prepare