GDPR – do I really need to do a data audit?

On 25th May 2018 the General Data Protection Regulation (GDPR) comes into force. As that day approaches, we are receiving an increasing number of enquiries on GDPR compliance. One of reoccurring questions we are asked is ‘is a data audit is really necessary?’

What is a data audit?

A data audit (or data mapping) exercise means, in brief, finding out what personal data your organisation processes, as well as why and how it processes such data.

 Do I need to do it?

The answer is ‘yes’. The GDPR requires data controllers to be able to demonstrate compliance with the obligation to process personal data lawfully, fairly and in a transparent manner, as well as maintaining a record of processing activities. Such a record will serve as evidence of your GDPR compliance, should you be required to produce one by the Information Commissioner Office (ICO), your insurers, business partners or other external parties.

It can also be a useful management tool providing an insight into how your organisation uses data. If properly conducted, a data audit should flush out any compliance gaps and risk areas and inform your data protection, data retention, information security and privacy policies.

How do I do it?

The methodology you will need to apply will depend on your organisation, e.g. how many branches and employees you have. Depending on the size of your organisation, the volume and type of personal data you process and the complexity of data flows in your business, it may be a detailed and time consuming exercise but, invariably, it is bound to be a useful one.

A data audit exercise should identify:

• the types of personal information being processed
• the purposes for processing each type of information
• the lawful basis for each type of processing
• the categories of recipients to whom personal data will be disclosed
• technical and organisational security measures in place
• all transfers of data and safeguards ensuring security of such transfers (e.g. appropriate contractual provisions in place with suppliers who have access to personal data controlled by your business).

You can only process personal data if you have a lawful basis to do so. In brief, this can be one or more of the following: data subject’s consent, contractual obligation, legal obligation, protection of vital interests, public task or legitimate interest. You must carefully consider and be able to justify your lawful basis for processing data, inform your data subjects accordingly by 25^th May 2018 and document consent. Unless you have completed your data mapping exercise, you are unlikely to be in a position to draft a GDPR compliant privacy policy or other privacy notices.

An opportunity to get it right

As per the Information Commisioner’s Office (ICO) GDPR guide, now is a great opportunity to review your current procedure for processing data and change to more appropriate ones if necessary. Generally, after 25^th May 2018, you will not be able to retrospectively change your basis for processing. For example, if you have asked for consent to process data for an unsuitable subject, to which the individual withdraws consent, it is then difficult to go back and ask again for consent towards another subject. In turn, it is likely you have to stop processing.

How can we help?

We can assist you in conducting your data audit or review the results of your audit (as required). We can provide advice in relation to the choice of the appropriate lawful basis for processing, or in relation to closing any identified compliance gaps. We can draft or review your internal and external policy documents and contractual arrangements with third parties.

If you need legal or practical advice in relation to data protection or wider commercial law issues, please contact Antony Hall on 0191 281 6151 or ahall@mincoffs.co.uk.