Step two of the ICO's "Preparing for the General Data Protection Regulation
(GDPR); 12 steps to take now" advises carrying out an Information Audit so that you know what personal data (1) you hold. Article 30 of the GDPR states...
"Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility."
And it continues with...
"Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller..."
And finally, these obligations...
"...do not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories (2) of data...".
You may read this last point and think that you have no further obligations under the GDPR, but before you do, consider how you would comply with the new rights of individuals, such as how you would delete or rectify personal data; how you would react to subject access requests or manage data breaches. To a great extent, these processes rely on knowing what personal data you have and I would urge any organisation to undertake an Information Audit as part of their preparation for the GDPR.
What do you need to do?
There is no getting away from the fact that conducting an Information Audit has the potential to be time-consuming, but it need not be complicated if you follow these simple steps: -
Take a look at your organisational structure and for each department ask yourself what sort of data is being used to carry out day-to-day operations. To help with your thinking, consider reviewing application forms, contact forms and registration forms both online and hard-copies and those used internally and externally. Once you have identified what personal data you hold and where, you can get into the detail.
Using what you have learnt above and taking into consideration the definitions of 'personal data' and 'special categories' of personal data, make a list of each item of personal data. This could be names, addresses, email, date of birth and so on.
For each item on your list, you should then look to answer the following questions: -
Why do you use personal data?
Who do you hold information about? Eg staff, clients, suppliers
What information do you hold about them?
Who do you share it with?
How long do you keep it?
How do you keep it safe?
Is any data transferred within or outside the EU?
What is the lawful basis for processing data?
Spending time on carrying out these three steps will put you in a good position to move on to subsequent steps in the ICO’s document on the 12 steps to take now. Their document can be found at: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
(1) 'personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
(2) 'special categories' include racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.