Published on Sep 09, 2021
In a recent article, we discussed how to create an organisational structure for a GDPR compliance programme which includes establishing reporting lines, appointing a Data Protection Officer (if required), and setting a data protection and privacy compliance budget. The next task is to examine how existing data processing operations match up against UK GDPR and Data Protection Act 2018 compliance requirements.
Launching a GDPR audit, also known as a GDPR readiness assessment, requires a comprehensive examination of your privacy and data protection operations. Think of it as a checklist to identify areas of compliance and non-compliance, which starts with a data mapping exercise to discover what personal data your organisation holds. A GDPR Audit covers several key areas:
Along with areas of risk and any identified weaknesses, the audit report should also set out the existing strengths of your compliance processes and procedures. Once you have completed the audit, a set of recommendations on how to follow the right path towards GDPR compliance can be drafted and presented to relevant stakeholders.
In this article, we’re going to help you understand what data is being held and processed by your organisation. This can be achieved manually or with the help of technology. Manual data discovery and mapping exercises struggle to cope with the complexity of data held and used by most businesses, certainly larger ones. In comparison, technology can significantly speed up the process to create a comprehensive data inventory. However, irrespective of the means, the methodology will always remain the same.
Several points need to be established when planning and completing a data mapping exercise:
Knowing what data you have is the first step in data mapping. Much of what you have may be historic; therefore, you need to locate and document how and why it was collected along with why the data needs to be retained. While identifying what personal data you hold, be sure to record any special category data and children’s data as the GDPR has distinct compliance requirements relating to these categories.
You will also need to ascertain if you hold and process any EU/EEA citizens' personal data. Following Brexit, the UK is now a third country to the EU. This means that depending on where and how you operate, you may be required to appoint an EU representative. UK-based companies operating in the EU will need to appoint a local representative to act on their behalf unless they operate from a dedicated subsidiary organisation located within the EU that is registered with a supervisory authority.
All the methods where your organisation collects personal data will need to be understood and documented. This applies to both online and offline operations such as websites, mobile applications, social media, email, telephone, in person, and third parties.
While reviewing the data collection sources, it is also essential to record any opt-in or opt-out marketing preferences and any privacy statements created. If not already in place, make a note to implement a process to track any changes to these documents.
Document the location of where personal data is stored and any applications being used to facilitate storage. Remember to include backup storage solutions – are these held off-site or via the cloud?
Knowing the location of personal data is essential to be able to comply with Article 33 that states controllers must notify the Information Commissioner's Office (ICO) under UK GDPR and/or any relevant supervisory authority under EU GDPR within 72 hours of becoming aware of a data breach.
You need to establish how data is being used and who has access to it. If external parties are processing data, identify who these parties are and why this is necessary. Consider whether processing the data can be justified and how long it should be retained. Where using consent as the legal basis for processing, document how it was obtained. It can take time to answer these questions.
Not only do you need to establish if you are the controller or processor of a particular set of personal data, but it is also important to understand who else has access to it internally and externally. For example, your employees’ personal data may be held by the HR department and a third-party payroll company that pays the wages.
Article 5(1)(e) states that personal data “should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed”. It is up to you to decide how long this is; however, it is important to have written justification on hand regarding the length of time data is kept. You also need to document what happens to personal data when it is removed from your systems.
Quick compliance tip - it is best practice for all organisations to keep up-to-date records. Maintaining records of processing activities under Article 30 is a requirement for most organisations, although not all. However, where accurate records are kept, it will be easier to conduct other compliance tasks such as responding to Subject Access Requests or investigating a data breach. It will also assist you to demonstrate accountability under Article 5(2), which is imperative for maintaining customer trust.
A data mapping exercise is the first step in a successful GDPR compliance audit. In our next article, we will set out the establishing lawful reason processing personal data.
To find out more about data protection and privacy law training, please email us at contact@freevacy.com or call 0370 04 27701.
Freevacy has been shortlisted in the Best Educator category. The PICCASO Privacy Awards recognise the people making an outstanding contribution to this dynamic and fast-growing sector.