To determine what information your organisation holds, you need to run an audit of the flows of data through your organisation.
The Information Audit will identify:
- the paths through which data passes:
- how the data is collected and why
- where the data is sent within the organisation
- what is done with it other than storage
- specifically identifying where data is collected and not used
- the types of data being recorded – subdivided, among others, between:
- personal data
- non-personal data
- data storage:
- where stored
- how stored/backed up
- when disposed of and how
- who is using the data collected by your organisation:
- within your organisation,
- outside of your organisation.
- the justification for collecting the data:
- and whether there are any:
- and finally whether the appropriate:
Such an audit can best be carried out on a business area by business area basis with a knowledgeable person running the process. This ensures that each area is covered thoroughly and should result in a clear mapping
- within that business area,
- of the flows between business areas.
Remember that business areas do not have to be on the same site physically.
The next step is to determine the risks for each data flow and operation. This requires a review of each data flow to check how the data is collated, handled, stored, where it is sent to, how it is used as well as how and when it is disposed of. Once each step is carried out appropriately, the organisation knows that it has already done much to remove concerns about its treatment of data.
Once this is done, the organisation will have a full idea of what data is held, of what type (personal or non-personal specifically). It will also discover where the data is obtained from, how and then what is done with it (rightly or wrongly) going forwards together with all the requisite justifications for these actions under GDPR.