To determine what information your organisation holds, you need to run an audit of the flows of data through your organisation.
The Information Audit will identify:
- the paths through which data passes:
- how the data is collected and why
- where the data is sent within the organisation
- what is done with it other than storage
- specifically identifying where data is collected and not used
- the types of data being recorded – subdivided, among others, between:
- personal data
- non-personal data
- data storage:
- where stored
- how stored/backed up
- when disposed of and how
- who is using the data collected by your organisation:
- within your organisation,
- outside of your organisation.
- the justification for collecting the data:
- Consent or Parental Consent
- Legal Grounds
- Public Duty
- Research / Public Good / Vital Interests
- and whether there are any:
- Restrictions in the use of the data
- Objections registered for the use of the data
- and finally whether the appropriate:
- Legitimate Interest Assessments have been carried out
- Data Processing Impact Assessments have been carried out
- Privacy Policy exists
- Security Policy exists
- Processor Contracts exist
Such an audit can best be carried out on a business area by business area basis with a knowledgeable person running the process. This ensures that each area is covered thoroughly and should result in a clear mapping
- within that business area,
- of the flows between business areas.
Remember that business areas do not have to be on the same site physically.
The next step is to determine the risks for each data flow and operation. This requires a review of each data flow to check how the data is collated, handled, stored, where it is sent to, how it is used as well as how and when it is disposed of. Once each step is carried out appropriately, the organisation knows that it has already done much to remove concerns about its treatment of data.
Once this is done, the organisation will have a full idea of what data is held, of what type (personal or non-personal specifically). It will also discover where the data is obtained from, how and then what is done with it (rightly or wrongly) going forwards together with all the requisite justifications for these actions under GDPR.