The list below takes each of the data asset detail fields and gives a question to ask when deciding what to put in the field as well as some possible options, the lists give a good idea, but are by no means exhaustive.
Question to ask – Which area of the business is the personal data used for?
Possible options – HR / Finance / Sales
Question to ask – What is the purpose of processing this data?
Possible options – Recruitment / Direct Marketing / Payroll
Category of the data subject
Question to ask – What role does the data subject hold in relation to the business?
Possible options – Employee / Candidate / Customer / Supplier
Type of data being held
Question to ask – Which personal details?
Possible options – Name / Email / Qualifications / NI Number
Shared with third party
Question to ask – If this data might be shared with anyone else, who would that be?
Possible options – HMRC / Referee / Governing Body
Where is the data stored
Question to ask – Is it as a physical copy on paper, or electronic?
Possible options – Paper, filing cabinet / electronic, Office 365 / electronic, CRM system
Lawful reason for holding the data
Question to ask – This one or more of the 6 reasons set out in Article 6 of the GDPR directive
Possible options – Consent / Contract / Legal Obligation / Vital Interest / Public Task / Legitimate interest
Reason to hold specific data
Question to ask – If as a business you process special category as part of Article 9 you need to give the reason for this
Possible options – If you hold disability or ethnicity details the reason may be employment details.
Legitimate reason for processing
Question to ask – If your lawful reason for processing data is Legitimate interest you need to give the reason why.
You can back this up by completing a Legitimate interests assessment which are available as events to be added to a new ticket.
Completed a legitimate interests assessment (LIA)?
This is a Yes / No answer based on the question above.
Rights available to individuals
Question to ask – If you are contacted by a data subject which rights do they have over the personal data you process?
Possible options – Access / data portability / rectification / objection / erasure
Automatic decision making
Question to ask – Is the personal data processed using automated decision making processes.
Possible options – loan companies giving decisions based on computer algorithms
Source of the personal data
Question to ask – Where has the data come from?
Possible options – data subject /data controller / data broker
Privacy by Design
Data impact assessment required?
This is a Yes / No answer.
A DPIA is usually linked to new projects as part of the privacy by design ethos for protecting personal data. For all new projects you need to run through an assessment in case further data protection needs to be considered.
This process can be found as an event to add to a new ticket.