GDPR: How to audit the data you hold

Napthens - October 4th 2017

Your first step is to simply understand how the GDPR will affect you, and that means understanding a little bit more about the personal data that you hold.

What is personal data?

The underlying basis as to what constitutes personal data is carried over from the existing legislation, in that it is information that relates to an identified or identifiable natural living person.

It is often easiest to start with looking at what constitutes ‘data’ (personal or otherwise), and this means looking at the nature of ‘processing’. Once it is established whether information is considered ‘data; then it becomes a question of deciding whether it relates to an identified or identifiable natural living person. At one end of the spectrum it is fairly easy to recognise that an employee’s HR file will constitute personal data, as they will be named in the file and any information contained within it should relate to them. At the other end of the spectrum, you also need to consider whether your website tracks users by using cookies, and whether that information can be used to identify the person using the computer.

What personal data do you hold?

Now we know what we are looking for, it becomes easy to list the obvious elements of personal data held by your business or organisation. Employee details and HR files are obvious examples held by all businesses, together with address books and contact details (including marketing databases and mailing lists). You may have more specific information such as client files, minutes of meetings or contractual documents that must also be considered.

Where are you keeping it?

You need to consider both physical and digital environments when looking into where data is held, so this may include files held in a filing cabinet or sign-in sheets held in your reception, together with digital databases or records. With digital records, you should note where the data is actually held – is it on the hard drive of the computer itself, or on a remote server in the ‘cloud’. Records held online need to be traced, so do you know where the server it is held on is located?

Where did it come from?

Some information will have come from the data subject themselves (for example an employee completing employee information sheets on joining) or be generated by the business itself (such as minutes of meetings or performance reviews). You may buy in mailing lists from third parties, or be given personal data by a customer about their own staff or customers). Identifying where the data came from will enable you to establish whether you have lawful grounds for processing it.

Why do you have it?

Because personal data should only be used for lawful purposes, and the requirement that processing is both “fair and transparent”, it must only be used for the purpose for which it was collected. If you do not know why the data was collected, then it becomes difficult to present an argument that any such processing of the data is lawful.

How do you use it?

If you know where the data came from and why it was collected, then you are then in a position to check whether you are actually using it in a lawful manner, and this means double-checking how you actually use the data in practice. Is the data you hold up-to-date and accurate?

Conducting an Information Audit?

By performing an information audit, you will develop a greater understanding of the risks your business is exposed to, and whether any further actions are necessary or desirable to ensure that the personal data is secure. The results of your information audit can also be used to form the basis of policies and procedures, together with information notices to be given to data subjects so that you can demonstrate compliance with the new regulations.

Napthens can assist in performing information audits to identify the personal data held by your organisation, which includes interviewing members of staff and looking at your processes and procedures. In addition we can deliver practical training to your employees including how to identify personal data and conduct an information audit themselves.

For more information, please contact our GDPR specialists on 01772 888 444 or by email to GDPR@napthens.co.uk