You should organise a data audit across your business to identify all the data that you COLLECT, STORE and PROCESS to examine how it flows into, through and out of your business. Conducting a data audit will help you to find out how you collect and store data.
Conducting an organisation wide data audit to find out what personal data is being held, where and by whom. Once the data audit is complete, you should have a clear idea of what data your organisation keeps and how it is being used. Making a note of all the different platforms & systems that your company or organisation uses e.g. email marketing software, social media accounts, CRM systems, laptops & mobiles, physical filing cabinets, file of manual paperwork any kind of databases that hold personal data that identifies a data subject.
To begin; what personal information (i. e. what categories of data) do we have, where is it and what are we doing with it?
How is the data collected; where does the processing takes place and what systems are used for processing it?
What is the volume of the data processed?
Who are the data subjects?
Where did we get this information from - was is from the individual or from a third party?
What is the reason for the processing of personal data? Which one of the lawful bases (below) is applied to each category of data processed?
(Compliance with legal obligation, consent, legitimate interest, necessity to perform task in public interest, performance of a contract, protection of a vital interest.)
If the legal basis is consent, is the consent valid? How was it given?
What permissions do I have from the data subject to hold that particular information?
What is it that we are currently doing with the information? Are there any plans to do something else with the data in the future?
Who can access the data? Go through this department by department or business area.
How is the data stored? e.g electronically, hard copy - it is necessary to list all the systems used.
How long does the company plan to keep this information. How long is the data kept on record and what happens to it ultimately? Have we justified storing the data for this length of time?
It is important to remember that a data flow can include a transfer of information from one location to another e.g. the information may stay within your business yet a transfer takes place because the department or other office is located elsewhere. You need then to consider - does the data leave the organisation either electronically or by physical copy?
Does it leave any borders? If so,
What data security controls are currently in place?
Have any risks to current security controls been identified?*
*The final point serves to identify any risks to data security that require changes to be made in order fulfill the requirement of GDPR.