The main purpose of the data audit is to identify personal data within the business and make sure the processes currently in place are sufficiently robust to protect that data.
Where you are missing a policy, or, for example some security software to protect electronic systems, you will find you are left with a gap when trying to answer a question, showing that something is missing, so that you can rectify it.
In order to complete this task, you will need the co-operation of other departments within your business, namely IT, Finance and HR, with some input from Sales to determine what personal data each department holds and what they do with it.
The ICO recommend meeting with the heads of the relevant departments holding personal data so that a better understanding of how the data is used within the business can be determined.
The data audit process should also help you identify any missing sections within key policies. You can compare and contrast actual data processing activities with intended processes currently defined.
Key policies for GDPR include:
- Data protection policy
- Data retention policy
- Data security policy
- System use procedures
- Data processor contracts
- Data sharing agreements
For those of you just starting out, we have provided some pointers for the Data Audit tasks on i-Comply-GDPR, hopefully, the task won’t seem as daunting.