GDPR: Carrying Out your First Data Audit
The General Data Protection Regulation 2016/679 (GDPR) replaces the existing data protection regimes in place throughout the European Union, including the UK. It introduces a number of new obligations and requirements on data controllers and data processors. Compliance with the new regulations will be of even greater importance following the enforcement date of 25 May 2018, because the GDPR substantially increases the fines that can be imposed by the relevant regulatory bodies in the event of a breach – now up to a maximum of €20 million or 4% of annual global turnover whichever is the higher.
This article focusses on your first step towards achieving GDPR compliance: a thorough and exhaustive data and information audit of your business. Regular data audits, reviews and data management exercises will be ongoing requirements to maintain compliance under the GDPR. But before you can do anything you must establish exactly what data you are dealing with, whether as a data controller1 or processor2, and why.
The GDPR introduces the Accountability Principle. This states that the data controller is responsible for, and must be able to demonstrate compliance with, all of the requirements of the GDPR (including the principles of Lawfulness and Transparency, Purpose Limitation, Minimisation, Accuracy, Storage Limitation, Integrity and Confidentiality, Transfers, and Data Subject Rights). It is crucial therefore that as the data controller you are able to provide evidence to support compliance with this principle.
Below is a simple data audit checklist and questionnaire to help get you started. Some areas may be more or less relevant depending on your business.
Conducting a comprehensive data audit will help you to identify your current position with regards to GDPR-compliance.
You can find more information about data audits from our webpage (GDPR) and the following helpful Information Commissioner’s Office webpages:
In our next update we will discuss how to use the results of your audit to update or draft new GDPR-compliant data protection policies, strategies and procedures.
1. A ‘controller’ is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
2. A ‘processor’ is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.