A data audit - the first step in GDPR compliance
12 Nov 2017
One of the first steps to get your organisation ready for GDPR compliance should be to conduct a data audit. Here the DMA’s Email Council takes a look at the key issues.
A good data audit should answer the following key questions:
- What data do you hold and why?
- How do you collect the data?
- How and where is the data stored
- What do you do with the data?
- Who owns and controls the personal data?
- Retention and deletion
- Who is responsible for the data and processors associated with data?
- Do you have adequate technology / process to adequately manage data processing?
The above information should be well documented and reviewed whenever there is a change made to how you handle personal data.
You should be able to create a data flow document that details how personal data enters, is processed and stored and exits your organisation.
This should include data that is being hosted both inside and outside of your organisation if you control it.
Some of the considerations when answering the key questions above are:
What data do you hold
- Is it personal data / sensitive data / children’s data?
- For all historic data, you need to be able to prove how you collected the data, what permissions you have and what it is being used for
- You should only be keeping data if you are using it and have clear consent for that usee
- You need to put in place a process for removing data which does not fit these criteria
How is the data collected?
- You need to document all the methods both online and offline in which you collect personal data (this may include website, telephone, in person, mobile apps or and third parties)
- You need to have well documented process of opt statements and privacy policies
- There needs to be a process in place to store historic changes to wording and track any future changes
How and where is the data stored?
- Document where the data is stored
- List what applications you use to do this
- Document how you process the data (are backups kept offsite or cloud based for example?)
- Check that all places data is stored used have their own up-to-date data policies and that all places you use are clearly mentioned in your data processing policies
Questions to ask about what you do with your data
- How do you process the data?
- Where do you send it to?
- What are your grounds and justifications for processing the data?
- Ask: do you need the data? If you don’t need the data, don’t collect it and store it. If you do need the data, clearly explain to the user why and what you will be using it for.
Who owns and controls the data?
- Are you a controller or processor of the data?
- Who has access to it? (A question to ask both internally and externally)
Retention and deletion
- How long do you keep the data?
- What is your justification for the length of time you retain it?
- What is the process for deleting data?
- Remember: Make sure you have a clear policy on this and a process for implementing it
Who is responsible for the data and processors associated with data?
As well as a named data controller, it is important that within the organisation there is a clear guideline to who is responsible for the admin and upkeep of any data related policies.
As part of the audit an ongoing process needs to be identified for historic data as well as newly- collected data.
Do you have adequate technology / process to adequately manage data processing?
Once you have identified what historic you can keep and need to keep and a strategy for collecting data moving forward you need to ensure your technology is able to do what you need to do.
Some key things include being able to deal, remove data, store the permission given at the point of collection (including wording as well as time, date etc.)
You should also document your justification for collecting, processing and storing the data and which of the six legal bases you are using to process the data.
Remember: you could be using different legal bases for different types of data.
The six legal bases for processing data are:
- Legitimate Interest
- Legal obligation
- Public interest
- Vital interest of data subject
GDPR places greater emphasis on the documents that data controllers must keep to demonstrate their accountability and the data audit should form part of a full IT governance review to ensure that your organisation is GDPR compliant.
This is a starting point and highlights some of the key areas which should be looked at. This is always better done in house as you know your business and your data but in areas where you are unsure or need clarification do not hesitate to seek out advice and experts. It is important to get this correct.