Two words which are boring on their own ‘Data’ and ‘Audit’ are combined into something that sounds like you’re about to lose hours of your life – ‘Data Audit’. But it’s not actually that bad, and in fact can help to simplify your administration.
Please do write this down rather than to it in your head, as it’s part of the proof that you have considered how you meet your GDPR requirements. We would suggest a simple spreadsheet with columns like ‘what we collect’ ‘why’ ‘necessary?’ or something similar.
Data – not just digital
The first step is figuring out where you have ‘Personal Indentifiable Data’ (PID) for your customers, volunteers, etc doesn’t mean just looking at your computer. It means really stepping back and having a look and think at everything around you.
According to the Information Commissioners Office that is:
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
Source: GDPR Key Definitions
It might be better defined as ‘anything that could possibly identify someone’, so birthdays, full names, address, organisation name, phone numbers, etc. So start having a good think and look around at things like:
Sign Up Forms?
Did you ever take down someone’s details on a sign up form? Perhaps at a stall/ exhibition or some event you ran. Do you know where that is – maybe buried under some papers in a filing cabinet? That is data.
Scribbles/ Reports/ etc
Maybe you have a helpful ‘list of key/ current clients’ or printed out a report from your accounts of who owes you what. These should all be considered ‘data’ in fact processed data as it is internal.
Your phone is probably full of PID – people’s phone numbers and personal data like email addresses on there. Maybe you also use a ‘Notes’ app? Is that secured with a password?
Data Processor vs Controller
You also need to be clear where all your data is, and the safeguards around that. Or put another way, who collects data on your behalf, stores it, etc.
A [data] controller determines the purposes and means of processing personal data. … if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
A [data] processor is responsible for processing personal data on behalf of a controller. If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.
Source: GDPR Key Definitions
If you run an organisation then you are ultimately the ‘Data Controller’ because you decide what is collected, how it is stored, where it is stored, if any processing occurs and with whom.
So start to list where you store your data, eg. ‘Dropbox’, ‘Google Docs’, ‘PayPal’, ‘Xero Accounting’, ‘Website’, ‘Email Accounts’, etc. And then you want to go find their policies on how that data is stored (often it’s the Terms and Conditions, though some have separate data policies).
[Note: If time permits we’ll add some of the more common ones here]
Check if you need to Register
As a Data Controller you may need to register with the ICO for a small fee of about £35.00 that you are holding data. Please visit https://ico.org.uk/for-organisations/register/ to register, and if you’re not sure use their self assessment tool to help you determine if you need to.
Risk Assessment/ Mitigation
Our apologies, these words are also as boring as ‘Data Audit’. But now that you’ve identified what you collect, and where it is, you want to take a little time to think through ‘is this ok/ appropriate/ needed’?
Remember that under GDPR you need to only store data which you need, store it securely, regularly review whether it is needed, ensure only appropriate people have access (eg. maybe not everyone who works with you needs its?), that you have consent to store that data and can report on it.
So this is looking back at each of the data items you store, do you need them? Or perhaps you have something like you have Dropbox and OneDrive and could just reduce it down to one cloud storage service. Maybe you had Google Docs but don’t use it anymore, so downloading the info on there and deleting the files would reduce that risk.
Also reducing the number of places you have data, especially if it’s duplicated, makes it much easier if you need to report on the data you have for a particular person. They have the right to ask what Personal Identifiable Data you have, and you have to report quickly, so make your life easy now. Combine those spreadsheets, put all the files (digital and physical) into one folder for that person, etc.
Do also have a think through ‘how secure is that?’. For example do you still use 1234 as your Phone PIN, or have you updated that PayPal password in the last decade? This is a chance to ensure you are protecting both your customers data but also your organisation – it does take some time but is good for all, a kind of ‘data/ security spring clean’.
While we’d encourage reading through the rest of these blog posts first, you have essentially got the bones of what you need from your Data Audit (which you wrote down right?) to then have a Data Policy.
This would cover things like:
- What you will store
- How you will gain consent (you need to store the exact phrase and date/ method that consent was given, including verbal, eg. ‘I agree to receive email newsletters’)
- Who will have access
- How long you will keep data for / when you will review the data you have, eg. ‘Every 6 months we will review the data we keep’
- How will you report on it?
- How you will secure it (including thinking along the lines of ‘what is my laptop is stolen’ – more on that regarding encryption in this series)
- How will you deal with a data breach?