Conducting a data audit is fundamental if you're preparing to comply with the General Data Protection Regulation (GDPR).
A data audit simply involves taking the time to think about and document what personal data your business holds and how you use it. All businesses should be able to perform a GDPR data audit. It is unlikely that you will need a solicitor or a specialist consultant to help you with this.
The checklist below may help break down the key steps in the process.
How to carry out a data audit?
To conduct an audit, you should ask yourself several key questions about the data you hold and document your findings. Things you should consider include:
- What types of personal data do you hold? - List the categories of data subjects and any personal data you collect. For example, current employee data, past employee data, customer data, marketing database, CCTV footage, etc. Segment this data by their type, eg people’s names, addresses, purchasing history, online browsing history, images etc. Determine if you hold just personal data, or does some of it fall under the category of sensitive personal information? Do you collect and process children's data?
- Why do you hold this data? - List the purposes for which you collect and retain this data. For example, marketing, service improvements, product development, human resources, systems maintenance, etc. Consider what you do with the data? Do you use it at all? Do you need it? Can you show what you use it for? Establish the exact purpose and the legal basis for processing the data (eg consent, contract, legal obligation, etc). See more on the legal basis for processing of personal data.
- How do you store it? - Can you show how and when you collected the data? Can you document where you store it? How do you protect and access it? How secure is the data, both in terms of encryption and accessibility?
- What do you do with this data? - How do you process it? Do you share it with anyone? Why do you share it? Is the personal data transferred outside the EEA?
- Who owns and controls the data? - Are you a controller or processor of the data? Who has access to it (internally and externally)? What safeguards do you have in place with your processors?
- How long do you keep the data for? - Check your retention and deletion periods. What justification do you have for the length of time you retain it? What is your process for deleting data?
- What do you need to do to make your data processing GDPR compliant? - List actions that you should do to ensure your processing is compliant with the new legislation. For example, you may need to delete data that has exceeded your retention period or data you have collected unlawfully.
It may help to put all this information in a spreadsheet or a word document. You can include specific headings for each of these considerations. You can search for free and commercial GDPR data audit templates on the internet, should you want to use them.
Documenting the audit will help you compile evidence and records on your compliance efforts. This may be useful in meeting the GDPR's accountability principle. Find out more about data protection principles under the GDPR.
After the data audit
Simply carrying out a data audit will get you started with the GDPR. Once you complete this, you will need to:
- review and amend your policies and procedures, including your privacy notice
- meet your obligations in respect of data subject rights
- deal with data subject access requests
- carry out data privacy impact assessments, when necessary
- appoint a data protection officer, if applicable
- report serious breaches to the Information Commissioner's Office (ICO)
- put safeguards in place for security and transfer of data
GDPR-compliant templates exist on the internet for the majority of the policy documents. However, it's always a good idea to use your data audit findings to tailor standard form policies to your business and to reflect exactly what you do with personal data.
You can use our GDPR compliance checklist to work through the steps involved in complying with the new regulation.
This guide aims to help you understand GDPR and your obligations under the law, but it does not constitute legal advice. For definitive legal guidance, see the ICO's guide on GDPR or consider getting independent legal advice.