It surprises us sometimes how a small statement can hide an important process. The wording of data protection legislation is a great example of this. It very clearly tells you that your business must meet the demands of GDPR and that data is to be ‘processed lawfully and fairly’.
The problem is this particular legislation (Data Protection Act 2018) is, as most laws are, very clear on what you must do and not quite so clear on how you should do it. This tends to leave a lot of business owners and management teams scratching their heads and wondering how to implement a good, compliant, data strategy. So, here is an overview that may help blow away some of the fog.
At some point you will need to do an information Audit. Sometimes these are known as a Data Protection Audit or Gap Analysis, but whatever you want to call it, it needs to happen because without it you are missing your foundation. The audit this is the first step to understanding exactly what personal data your organisation holds. The audit looks at all the different parts of the business to understand their challenges. Well-meaning management teams often try to implement this, but it is usually those that are doing the job day to day, rather than the MD or management, that know best how data is handled. The team tend to have specific knowledge about what practices are going on with regards to personal data at a department level. You would be surprised how often a business doesn’t have a complete record of this.
The information audit should take a detailed look at how the organisation receives data, where it is stored, how it is used and of ultimately how it leaves the organisation. This is then used as the foundation for building a good data protection process within your organisation. Simply put, just like any storage process, unless you know what comes in, what happens to it, and where it goes when it leaves, you cannot do an audit.
Don’t forget the paper storage. Data is not always just electronic. Written documents, paper forms, and other things such as audio recordings, video, photographs and so on, are all potentially data. It is important to include everything.
You then need to record what all this data is doing. Essentially you need to map the data flows. It goes without saying that you will need to map all of them. Often the most useful way is to produce a diagram or other visual representation of the data flow.
Next up is a look at your suppliers. Firstly, you need to know where they are based. If they are in America e.g., Mailchimp, Microsoft and so on, then you will need to ensure you have appropriate mechanisms for data transfer.
You should also consider anyone who is self employed or contracted as opposed to employed, these are all risks to your data protection compliance if the correct paperwork is not in place. After the last year we all also learned a few lessons about how the work from home people on your team also need to be factored in.
Now we can turn to the IT systems themselves. Cyber security is an important part of the audit, so you need to check that you have up to date software, anti-virus and encryption as a start. Also a big percentage of data breaches are down to the human factor. Another part of the audit could take that into account.
As you can tell a data audit alone is a very precise task. In fact, there is probably a whole article in each of the paragraphs in this blog. Even once you have carried out the audit there is more to do. There will no doubt be an action list to improve compliance. You must make sure you get this done in a timely fashion and then diarise it for the same time one year later. In data protection a lot can happen in a year.
Datasense has carried out hundreds of data audits and we make sure that we look in every nook and cranny. We need to do that to find out all the data practices going on with the organisation. We know where to look so we can identify where the gaps are, where bad practice is going on and what need to be done to repair the problems.
Then we help you to fix them.