A GDPR Data Audit is easier to complete than it sounds
With the EU’s General Data Protection Regulation (GDPR) coming into effect on May 25th, companies around the world are scrambling to become compliant. That means performing a GDPR Data audit.
Before we go any further, this is not a GDPR compliance audit. We will provide guidance on how to handle GDPR compliance audits a bit later this month. Today, we’re going to discuss how to perform a data audit – an informal audit that should help clarify your next few steps towards compliance.
When to perform a Data Audit?
When it comes to getting compliant with the GDPR, you’re going to want to perform your data audit at the very outset. Keep in mind, the first data audit is likely going to be the most difficult one you perform. That’s largely due to the fact that you need to map everything out and truly use it to gain visibility over your information flows.
Of course, there will be additional data audits, compliance audits and other data management exercises along the way as you maintain compliance. But first you need to know where everything is. That first data audit is the one we’re discussing today.
Is it hard to perform a Data Audit?
Honestly, that all depends on the size of your operation. In theory, no, a data audit shouldn’t be hard to perform. It may be tedious, but not hard. To help get you into the right mindset, we’re going to cover some of the key questions your data audit needs to answer. Let these questions guide you as you proceed.
- What data are we collecting?
- Where are we storing the data?
- How do we protect and document the data?
- How long do we keep the data?
- Do we have a function for every piece of data?
- What is the process for honoring a request to delete data?
Obviously, there are other questions you’ll need to focus on, too. But these six should set a solid foundation.
Now that we have that settled, lets go about collecting the information you need to complete your audit.
What data are we collecting?
The first question we need to answer may seem like the most obvious: what are we collecting? Now, to answer this you need to have a little more information about what data qualifies as “personal data” under the GDPR. There are two categories of personal data. The first is just your standard stuff, anything that can be used to identify an individual:
- Email Address
- IP Address
- Phone Number
- Social Security Number
- ID numbers
Then there is something called special categories of personal information, that pertains to:
- Racial or ethnic origins
- Health information
- Political Opinions
- Religious Beliefs
- Union Activity
- Sexual or Gender Identity
This second category requires special legal bases to process. Additionally, if you possess any personal data on children under the age of 16 you will need parental consent.
Regardless, you need to go over your entire website (or websites) looking for any point at which you collect personal data. Make sure to map these out, too. Because later you’ll need to come back and add GDPR privacy notices to them.
But for now, just make a complete accounting.
Where are we storing the data?
The GDPR requires you to document where you’re storing the personal data of EU citizens. For the sake of this audit, “where” refers to both a geographic location as well as what kind of mechanism you’re using to store it—whether that’s in emails, documents, databases, backups, email lists, etc.
So after you’ve mapped out where you’re collecting information and what it is you’re collecting, you need to figure out where you’re storing it all. Get granular. ‘This subscription text field records email addresses in a database stored on a server in our New Jersey office.’ That may seem excessive, but as we have said repeatedly: err on the side of caution.
It’s better to be excessively cautious than to become a cautionary tale.
How do we protect and document the data?
Again, this is a fairly straightforward question to answer. What safeguards are in place protecting the data you have stored. Do you use passwords to help protect the data? How do you store the passwords? Are they hashed? Salted? Do you limit access to parts of your site? What about to your databases? Are you collecting this data over a secured HTTPS connection? Do you encrypt your data at rest?
These are the kinds of questions that need to be answered.
This is also an excellent opportunity to assess whether your organization is doing enough to secure the information that it collects. If the list of safeguards you have in place seems kind of short, it may be smart to discuss what safeguards you haven’t added yet and how you can incorporate them. Take the GDPR as an opportunity to get your house in order. It will pay off in the long run.
How long do we keep the data?
Like so many other things in the GDPR, the maximum amount of time an organization should store data for is ill-defined. The EU simply says to retain data “no longer than necessary.” Great.
Ideally, the GDPR wants you to dispose of personal data once its served its purpose, but without providing any timelines it can be difficult to figure out what an appropriate length of time to keep personal data is. Part of the reason for this is that different organizations have different needs, and a blanket approach wouldn’t fit very well.
Your organization should decide what is appropriate for itself. Here are some things to consider:
- The value of the information, both now and in the future
- The costs and risks of continuing to store the data
- The ease of keeping it maintained and accurate
Additionally you’ll also need to consider how you’re using the data, any additional legal or regulatory requirements and what is generally considered a best practice in your industry.
If you’re storing data indefinitely you need to put an end to that immediately.
Do we have a use for every piece of data?
Every piece of personal data you collect should have a purpose. Ideally you should be able to explain that purpose at the point of collection, too. So what are you using this data for? Is it for completing a transaction? Are you adding it to an email subscriber list? Are you using it to tailor a better website experience or deliver better customer service?
If you mapped out all of your data collection points earlier, this should be easy. And any data that isn’t being collected for a specific purpose needs to be deleted. The days of grabbing as much information about a user just for the sake of having it are long gone. The data you collect needs to be collected for an express purpose—one that is clearly articulated to your customers.
Don’t Get Breached
91% of cyber attacks start with an email. 60% of SMBs are out of business within six months of a data breach. Not securing your email is like leaving the front door open for hackers.
What is the process for honoring a request to delete data?
Finally, you need to figure out how you’re going to honor the right to be forgotten. This EU right gives citizens the ability to take control over their personal information, including to modify or delete it.
That means you need a mechanism in place for quickly gathering any stored data and then delivering it to the data subject. The two main questions you need to answer here are:
- Whose responsibility is it to respond to data requests from users?
- What records need to be checked to provide said data?
Once you know this, you should have all the information you need to complete your GDRP data audit.
GDPR Data Audit Checklist
Here’s a quick checklist to help you work through your Data Audit.
|What data do you possess?||Does the data fit these categories?
|Why do you possess that data?||Considerations:
|How did you obtain the data?||Things to determine:
|When did you obtain the data?||Can you identify the date it was collected?|
|Who in your organization is responsible for the data?||Things to consider:
|What does your organization do with the data?||Considerations:
|How do you store and secure the data?||Considerations:
|Who controls the data?||Are you the “controller” or just a “processor?”
|How long is the data stored, how do you delete it?||Considerations:
Check out the rest of the Hashed Out GDPR Compliance Series
- GDPR: Introduction to a Series
- GDPR: How it affects the Domain Industry
- GDPR: How it affects Web Hosts
- GDPR: Problems for ICANN/WHOIS?
- GDPR: Complying with EU-US Privacy Shield
- GDPR: What is a Data Protection Officer?
- GDPR: Best Practices for Privacy Notices
- GDPR: What you need to know about Cookies
- GDPR: What is the Right to be Forgotten?
- GDPR: How to perform a Data Audit
- GDPR: Encryption Best Practices
- GDPR: When to report a Personal Data Breach