Conducting a Data Audit for GDPR
Conducting a comprehensive data audit is crucial if your organization is intending to meet GDPR principles. While not mandated by the GDPR, a data audit is a primary method by which organizations can establish what data they hold – a crucial first step towards GDPR compliance.
The GDPR, enacted into law across all EU member states, mandates that any organization obtaining, processing and holding personal data on an EU resident, must do so only for a specific purpose. Furthermore, the personal data must be obtained in a lawful, transparent manner, and cannot be processed or stored for longer than required.
To learn more about the regulation, read our introduction to GDPR.
This article is part of our Introduction to GDPR, which aims to help you understand the General Data Protection Regulations and your obligations under the law. However, while industry experts have put together our guide, it does not constitute legal advice. If you required definitive legal guidance, we suggest seeking professional legal advice or visiting the most appropriate Data Protection Authority (DPA).
On this page:
What is a Data Audit?
Organizations conduct a data audit to establish what personal data is being collected, saved and processed. Conducting a data audit will help you understand:
- What personal data are you collecting
- How you are processing that data
- The purpose of processing data
- Whether the data is being processed lawfully
Conducting data audit provides organizations valuable insight into the reasons, methods and mechanisms, the process, retain or collect personal data.
A data audit may identify areas in need of improvement, or practices which are no longer required. Alternatively, you may find that everything is perfectly well as it is.
Why should organizations conduct a Data Audit?
Completing a data audit is the only way that organizations can determine if they are complying with GDPR data protection laws.
Under the GDPR, personal data can only be processed under one of 6 lawful bases. Organizations which are unable to determine under which one of the legal bases the personal data they collect is processed may be in breach of GDPR and the law.
Similarly, the GDPR stipulates six data protection principles. Under the GDPR organizations are required to ensure the application of these principles to personal data at all times.
A data audit enables businesses to establish if their practices for collecting, processing, and retaining personal data are compliant with GDPR.
Is a Data Audit required by the GDPR?
No. The GDPR does not specify that an organization must complete a data audit. However, without knowing what personal data your company is processing, there is no way of knowing whether your organizations is compliant.
With the introduction of GDPR, the collection, processing, retention, and transfer of personal data on EU residents are legally-regulated acts. This means organizations must have lawful justification for obtaining, processing, and storing personal data.
How to conduct a GDPR Data Audit?
If performed in an organized and systematic way, conducting a data audit should be straightforward.
To perform a data audit, organizations should ask themselves a few questions about the personal data that they hold and document the findings:
1. What types of personal data does your business possess?
The first step in performing GDPR data audit is to identify the types of personal data a business possesses. Start by listing different categories of data subjects, for example, names, contact details, other designated identifiers, data gathered from mobile devices, online identifiers, employee records, and special category data (such as race, religion, gender, biometrics, etc.).
Organizations should categorize this information by type, for example:
- Purchasing history
- Online browsing history
Also, establish whether any of the data belongs to vulnerable individuals and whether the data is held is just personal data, or is it classified as sensitive personal information.
2. Why does your organizations have this data?
The objective is to list the reasons why a business needs to collect and store personal data. Establish the primary legal basis why you possess the data, such as consent, contract, legal obligation, etc.
Reasons may include for marketing purposes, HR and recruitment, service improvements or maintenance. Due consideration should be given to what your organization intends to do with this data, and how it is used.
3. How does your busines collect the data?
Here, organizations need to list the primary sources of personal data in their possession. Consideration should be given to from where personal data has been obtained. Organizations should aim to demonstrate the methods used to obtain the personal data, and whether they have documented consent / opt-in?
Some examples of data sources can include analytical logs from third-parties, mobile and computer apps, website cookies, email and physical mail, feedback and research surveys, social media, other third-parties, and website chatbots, forms and error logs.
4. How does your organization store the data?
The fourth step of the GDPR data audit aims to determine how the data is stored and collected. Fundamentally, the purpose is to establish how secure is the data both in terms of accessibility and encryption.
A business will need to demonstrate where this data is kept, how it is protected, and how it is accessed.
5. How is this data used?
The purpose of this section of the data audit is to understand how organizations process all the data. Key questions to ask are, is the data going to be shared? Why does this data need to be shared? Is any part of the information being transferred out of the EU?
6. Who owns and controls the data?
It’s crucial for organizations to determine their role, whether they are the data controller or the data processor, as the responsibilities vary:
- Data processors – Store and process the data on the data controller’s behalf
- Data controllers – Establish how and why personal data is processed
Depending on the circumstances, you can be both a data processor and controller simultaneously. Additonally, you need to establish who, internally or externally, has access to the data, and what measures are in place to protect the data.
7. How long is the data kept by your organization?
Organizations must not retain personal data for longer than required. Consequently, businesses need to establish how long they need to retain certain types of data. This can be achieved by creating a retention schedule.
When creating a retention schedule, consider the justification for the length of time the data needs to be retained. Also consider the process for deletion, once the retention period has expired.
8. What steps does your organization need to take to ensure that all personal data is compliant with GDPR?
The final step of the GDPR data audit seeks to establish the actions required to ensure personal data is compliant to GDPR.
This may involve re-obtaining consent, where lapsed or removing any data which has surpassed the retention period. It may also involve deleting any data which has been inadvertently collected unlawfully.
When to perform a Data Audit?
Organizations aiming to achieve to GDPR compliance would target performing a data audit at the outset. For most businesses, the first data audit is going to be difficult, since you need to map everything out to determine your information flows.
To maintain compliance, organizations will perform subsequent data audits and other data management actions periodically.
It will help you to put all this data in a proper spreadsheet or a word document. You can add in specific headings for each of these documents. You can also obtain free or paid GDPR templates for auditing information online, so might want to use these templates.
Writing down the audit will let you gather evidence and records on how you comply with GDPR. It is useful to meet GDPR principles. Find out more about GDPR data protection principles.
After completing your GDPR Data Audit
Correctly carrying out a GDPR data audit help you get started towards compliance. Once you accomplish this, you will have to:
- Review and change your policies and procedures, and privacy notice
- Meet obligations relating to the rights of data subjects
- Handle data subject access requests
- when needed, perform data protection impact assessments
- If necessary, appoint a data protection officer
- Report any breaches to the DPA
- Put measures in place for data security and data transfer
Read our checklist for GDPR compliance to perform the steps needed to comply with the regulation.