Before you get stuck into your GDPR compliance action plan, you’ll need to conduct a data audit. After all, if you don’t know what data you have, how it’s used and who has access to it, how can you identify what needs to change in order to address GDPR requirements? You wouldn’t start cooking without first knowing what ingredients are in the cupboard…
John Haggis, consultant solicitor at Keystone Law says: “Every business is different, as every business has different requirements for the acquisition and processing of personal data. All businesses should start with an audit, in conjunction with Article 5 of GDPR.”
The aim is to create a detailed audit trail: a data flow that documents how personal data enters, is processed and stored and exits your organisation. There are six fundamental questions that your GDPR data audit must address.
Firstly, what personal data does your organisation hold? Identify whether it’s personal, sensitive or relates to children. Make sure you have clear consent to use this data, and that you have a process in place for removing data that doesn’t adhere to GDPR’s rules on consent.
The second question asks how you collect personal data. For example, do you gather it on your website, in person, via LinkedIn or list brokers? You must document your processes for opt-ins and privacy policies.
Thirdly, how and where does your organisation store this data? Again, this needs to be documented, including what apps you use to do this and whether, for example, you store backups offsite or using a cloud service.
What happens to your data? Identify what you do with it, how it’s processed, where you send it and have clear justifications for processing it, which you need to communicate to your data subjects – i.e. the people whose data you’re using.
The question of ownership must also be addressed. Who is the named owner and controller of data in your organisation? Work out if you are a data controller or data processor and who has access to it. You must also have clear guidelines on who is responsible for the admin and upkeep of any data related policies. This applies to legacy as well as newly acquired data.
Finally, what is your policy for retaining and deleting data? Establish how long you keep your data and your justification for doing so. If you don’t have a process for deleting data set one up, along with a clear policy on retention and deletion.
If you need to get to grips with GDPR within your organisation, Me Learning can help. Find out more about our suite of GDPR e-learning courses.