How to create an Information Asset Register (IAR)
Step-by-step guide to creating an Information Asset Register for GDPR and the NHS Digital Security Protection Toolkit (DSPT)
The digital healthcare landscape is changing fast. New technologies, cloud platforms, and data-sharing practices are emerging all the time. For digital health companies, staying compliant with data protection standards such as the NHS Data Security and Protection Toolkit (DSPT) and GDPR isn’t optional, it’s essential for protecting both your organisation and your users.
Failing to comply can lead to serious consequences, including fines, reputational damage, and loss of trust. The first step towards strong data governance is understanding what information you hold, this is where an Information Asset Register (IAR) becomes invaluable.
This guide explains how to create a clear, comprehensive, and compliant IAR to form the foundation of a robust data security framework.
This is guide 1 of 3 in a series for digital health companies on Documenting your data processing activities.
What Is an Information Asset?
An information asset is any collection of data or knowledge that is organised, managed, and valuable to your business.
Some organisations define an asset by application or platform (for example, Slack or Microsoft 365), while others prefer to group information by purpose (such as “Training Records in Google Drive”).
In this context, an information asset refers to the data itself, not the physical device that stores it. You may still wish to track physical devices, such as laptops and servers, in a separate Physical Asset Register, but this guide focuses solely on informational assets.
What Is an Information Asset Register (IAR)?
An Information Asset Register (IAR) is a record of all your information assets – essentially a detailed inventory of where personal or business data is held and how it’s managed.
Think of it as a map of your organisation’s data. It helps you understand what data you have, where it lives, who’s responsible for it, and what safeguards are in place.
Why an Information Asset Register Matters
An IAR is essential for maintaining visibility, accountability, and security across your organisation. It supports compliance and strengthens your overall data management approach in three key ways:
1. Transparency
An IAR gives you a clear overview of your data landscape. It helps avoid duplication, reduces confusion, and ensures everyone understands what information is held and where.
2. Accountability
Maintaining an IAR shows regulators, partners, and patients that your organisation takes data protection seriously. It demonstrates that you know what information you hold and why.
3. Security
By mapping out your data, you can quickly identify high-risk or sensitive assets. This allows you to focus your security measures where they matter most.
Understanding What Data You Can Store Under GDPR
Under the General Data Protection Regulation (GDPR), personal data must be handled lawfully, fairly, and transparently. Although the full regulation is extensive, a few principles are particularly relevant when creating your IAR:
- Purpose limitation: Be clear about why you collect personal data and ensure it’s only used for legitimate, defined purposes.
- Data minimisation and accuracy: Collect only what’s necessary, keep it up to date, and record why it’s needed in your IAR.
- Storage limitation: Retain personal data only for as long as required.
- Integrity and confidentiality: Put appropriate security measures in place to protect the data from unauthorised access or loss.
Documenting these details in your IAR helps ensure you’re meeting these principles in practice.
How to Create an Information Asset Register
1. Choose a Template
Start with a structured template.
Assuric provides a custom Information Asset Register template designed specifically for digital health companies. You can also find example templates on the Digital Care Hub website.
A good template makes it easier to capture and update key details consistently.
2. Gather Key Information
For each information asset, record the following details:
- Asset name
- Description and purpose
- Location (e.g. cloud service, internal database)
- Linked contracts or processors
- Contains special category data?
- Asset owner
- Shared with third parties?
- Risks if breached
- Security controls in place
- Retention schedule
- Audit date
- Breach history (if applicable)
Capturing this information reinforces key data protection principles such as retention, lawfulness, and minimisation.
3. Identify Special Category Data
Digital health companies often handle special category data – personal data that’s particularly sensitive and requires extra protection.
According to the UK GDPR, special category data includes information about:
- Health
- Genetic and biometric data (used for identification)
- Sexual orientation or sex life
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
If you process any of these data types, you must document them clearly in your IAR and ensure additional safeguards are in place.
For more details, visit the ICO’s guidance on special category data.
4. Review and Approve Your Register
Once you’ve drafted your IAR, review it carefully for accuracy and completeness. It should then be approved by senior management or your Data Protection Officer (DPO).
Your IAR isn’t a one-off exercise – update it regularly to reflect system changes, new software, or changes in how you process data. Regular reviews help you maintain compliance and strengthen your organisation’s data governance.
How Assuric Can Help
Assuric is built specifically to help digital health companies achieve and maintain compliance. Our platform supports every stage of the process, including:
- Creating your Information Asset Register (IAR) from a tailored template
- Keeping your IAR up to date with organisational changes
- Reviewing your records to ensure they meet regulatory standards
- Supporting compliance with GDPR, NHS DSPT, and NHS DTAC requirements
Talk to us to learn more or request your copy of the Information Asset Register template for digital health organisations.
What’s Next?
Once your IAR is complete, the next step is to understand how data flows through your organisation - where it comes from, how it’s used, and where it’s shared.
This leads into Step 2: Creating a Record of Processing Activities (ROPA), the next guide in our compliance series.
Frequently Asked Questions
1. Who is responsible for maintaining the IAR?
Usually, your Data Protection Officer (DPO) or compliance lead manages the IAR, with input from information asset owners across departments.
2. How often should the IAR be reviewed?
Ideally, review it quarterly, or whenever you introduce new systems, suppliers, or data processes.
3. Is an IAR legally required under GDPR?
While not explicitly named, maintaining an IAR is part of demonstrating accountability under GDPR and is strongly recommended within the NHS DSPT framework.
4. Should physical assets be included in the IAR?
Not necessarily. It’s usually clearer to maintain a separate Physical Asset Register for devices and hardware.
5. What are the risks of not maintaining an IAR?
Without an up-to-date IAR, you risk non-compliance, potential data breaches, and financial penalties.
6. Where can I find a reliable IAR template?
Assuric offers a digital health-specific IAR template, or you can access examples from the Digital Care Hub.
In Summary
Creating and maintaining an Information Asset Register (IAR) is a fundamental step in achieving GDPR and DSPT compliance. It provides clarity, accountability, and improved security across your organisation.
By keeping your register accurate and up to date, you’ll not only meet regulatory obligations but also build stronger data governance and trust with patients, partners, and regulators alike.
