We recommend that all of our clients undertake regular data protection audits, but with the General Data Protection Regulation (GDPR) around the corner, carrying significant penalties for non-compliance, it’s more important than ever to ensure you are on top of your data protection matters.
Undertaking an audit will flag any issues with data you hold, and highlight the changes you need to make to your data collecting and processing procedures to ensure your business is compliant.
Below, we highlight some of the key considerations you should address as part of your data protection audit, and why they are so important.
Whose personal data do you hold?
You should always know whose information you hold within your organisation. It is likely you will hold information relating to your customers, clients and employees, but you could hold personal data for more groups of individuals than you initially thought. If you send marketing updates or e-shots for instance, those included in your mailing list are also your data subjects. You also might hold information about your suppliers and third party contractors, and probably haven’t considered the obligations you have to them regarding their data. A data protection audit will ensure you know exactly what types of data you hold.
What types of information do you hold, do you really need that data?
You should always know exactly what kind of data you are collecting. Do you really need it to provide services to your customers? It is essential to establish whether any sensitive personal data has been collected, as more stringent rules cover how you manage this data. Sensitive personal data might include information on racial or ethnic origin, political opinions, religious beliefs, trade union membership, health matters and sexual orientation.
You should also ask whether it is necessary to collect personalised information or whether what you need to do to service your customers could be achieved just as easily by collecting anonymised personal data (for example, if you are conducting market research you may not need to know the names of individuals who contributed).
How is the personal data collected?
There are protocols for collecting data which you should be following, particularly with regards to ensuring your data subjects know what the data is being used for. You must provide your data subjects with full details of the purposes you are collecting and using their data and should obtain their consent to your processing of their data at the time of collection. If any personal data has been collected by a third party, you should make sure, before you use that data, that the third party obtained the appropriate consents and make sure there is a warranty in any agreement you have with them that they comply with the Data Protection Act.
How long is personal data retained and what steps are taken to ensure that personal data is kept accurate?
Do you know how the personal data is stored, where it’s stored, and how long for? If not, it could be that you possess data which you no longer need. You should not keep data for longer than necessary, and the longer you have it, the more likely it is that it’s no longer accurate! For more information, see principle 5 of the data protection rules.
Data subjects circumstances change, and principle 4 of the data protection rules makes clear that you should not keep irrelevant and inaccurate data. A data protection audit provides the opportunity to remove all of your old data and update information you have.
What security measures are in place?
Principle 7 of the data protection rules requires you to consider the technical and organisational measures that you have in place to guarantee that personal data is protected against unauthorised access, damage or erasure. Technical measures might include encryption and use of secure passwords, whereas organisational measures are based more around contingency plans and procedures.
Under the new regulations, providers must maintain an inventory of personal data breaches, comprising the facts surrounding such breaches, their effects and the remedial action taken. Without adequate security measures in place you are more likely to experience a data protection breach, so a review of your current security measures will certainly be a key part of your audit.
Do you share personal data with third parties?
You should know exactly who your business is disclosing the data to. As a data controller, particularly if you have third party data processors, you should know what they do with all of the data and that your data subjects have consented. Furthermore, if you have written contracts in place with data processors, you should ensure the contracts require parties to comply not only with current legislation but will comply with the more stringent rules that the GDPR will impose.
Are there procedures in place to ensure you comply with individuals rights?
You need to consider putting into place procedures to allow individuals to object to the use of their personal data for direct marketing to gain access to their own personal data (a subject access request) or request deletion of irrelevant and inaccurate personal data held about them.
In completing your audit you will need to consider the GDPR and the much broader rights it will grant to individuals, but compliance with the current legislation first is a great start. Carrying out an audit along with our guidance notes on the imminent changes under the GDPR will help you to develop a strategy to manage the potential data protection risks to your business.
If you need any assistance with your data protection audit, have any issue arising from your audit or want to know more about the GDPR, contact the team at Harrison Clark Rickerbys and one of our specialist data protection lawyers will be happy to help.