GDPR - The Data Audit

The Data Audit

A data audit is a way in which you can ascertain and document the personal data that is held within your organisation.

It will help you establish, the data that you have and how you use it. From a monetary perspective it can help you to use your data more effectively and achieve a significantly higher ROI. To be compliant with the GDPR you need to know your data and this could mean taking the time to map all of your data, and use this map to gain visibility and clarity over your information flows.

Whilst some organisations might look at this action with dread it will in the long term, help you to better monetise your data, be accountable with confidence about the data you have and it offers transparency to your customers about the way in which their data is used, which all adds to an increased and enhanced reputation in your market place.

1. What types of data do you hold?

You need to know that data that you are collecting. Under the GDPR there is personal data and then there is special category personal data.

  • Standard Personal Data includes:
  • Name
  • Address
  • Email Address
  • IP Address
  • Phone
  • National Insurance Number
  • Passport Details
  • Standard personal data is any information that can be used to identify an individual
  • Special Category Personal Data
  • Health information
  • Racial or Ethnic origins
  • Religious or philosophical beliefs
  • Political opinions
  • Trade Union activities
  • Sex or Gender identity
  • Genetic, Biometric data that is used for the specific purpose of identifying an individual

It should be noted that in order to process special category data, you will need explicit consent from the individual.

Are you processing data of children (under 16 in the UK) you will need a mechanism to be able to accept parental consent.

2. How (and where) did you collect the personal data?

You need to make a list of ALL of the places that you collect data, some examples are:

  • CRM system
  • Email marketing system
  • Marketing database
  • Finance database
  • Social media channels
  • Website

You need to find out where your data is currently located and then decide where you would like it to be located. Interview team leaders and department heads, find out the data they have - where it is located, how and when they collected it and how they use it.

At this point you need to ensure that each point that you collect the data is mapped.

3. Why do you hold this data and how is it being used?

  • What is your purpose for collecting and holding the data?
  • Are you able to show what you use it for?

List the purposes that you use the data for, these could include:

  • Service contracts
  • Marketing
  • Human resources
  • Essential records retention
  • Customers
  • Subscribers

Establish the purpose and the legal basis for processing for your data. Does your Privacy Notice inform the reader about how you use and process the data of individuals?

4. Where and how do you store this data?

‘Where’ means both the geographical location and the mechanism that you use for storage i.e. back ups, cloud storage, server?

You also need to consider security:

How secure is the data, what security measures are in place for your data both in terms of encryption and accessibility?

Is it encrypted, should it be encrypted?

Who has access to it – do you have an access management policy?

5. What do you do with your Data?

  • How do you process your data?
  • Do you share it with 3rd parties? If so do you have processor agreements in place?
  • Does your data leave the EEA?
  • Do you have a use for every single piece of data that you collect and store?

Every piece of data that you collect should have a clear purpose, you will need to explain that purpose at the time that you collect the data. Go back to point 2 and look at your map of the data collection points.

If during the audit you find you have pieces of information that have no clear purpose then delete them, no longer can we hang on to data for that ‘just in case or nice to have’ point, each piece of data must have a clear purpose.

As an organisation what information do you need?

  • What information is important to you?
  • What information feeds the bottom line?
  • Is valuable data being lost or not being used to its full potential?
  • Does your Privacy Notice inform the reader of everything that you do with the data?

6. Retention, how long do you keep your data?

  • What are your retention and deletion periods?
  • What justification do you have for keeping hold of data?
  • Do you know the legal retention periods for certain data?
  • Do you have a clear process for deleting data?

7. Communicating your privacy practices

You need to communicate your privacy practices to both your internal and external audiences. Do you have the necessary policies and procedures in place that tell people how you treat their personal data and to allow individuals to exercise their rights concerning their personal data under the GDPR? Have you communicated your Privacy Notice?

Once you complete the data audit look carefully at any gaps that have been shown up. Check your privacy notice to ensure that it informs the reader correctly of your data usage. Ensure that any data silos are deleted, only retain that data that you need.

This is the first step to ensuring that privacy is embedded into your organisation, the beginning of building a privacy centric framework that your organisation can work within.

The PrivacyTrust works with clients helping them to ensure that their data is safe secure and compliant with data protection laws.