13 February 2020
Complying with the EU General Data Protection Regulation (GDPR) means taking control of every piece of personal data in your company. This may sound like an impossible task, but it's not as daunting as it might seem.
Your first step toward compliance should be conducting a data audit. You should take a systematic approach to discovering all the different ways personal data flows in and out of your company.
You may be surprised at how much personal data you have in your possession that you don't actually need. And you might even find that you're holding some personal data unlawfully.
A data audit involves determining exactly how your organization processes personal data. It will help you understand:
You might find a lot of personal data skeletons in the closet. Or you might realize that you're already doing everything perfectly well as it is. Either way, you need to take control of this aspect of your organization.
A data audit is the only way that you can truly know that you're complying with data protection laws.
For example, the GDPR only allows personal data to be processed on one of six lawful bases. If you haven't considered which of the lawful bases you relied on when you obtained a given piece of personal data, you may be storing it unlawfully.
And then there are the six principles of data processing. The GDPR requires you to apply these principles at all times when working with personal data. If you're keeping personal data for longer than you need it, or collecting more personal data than you need, then you could be breaking the law.
And remember that the GDPR brought many changes when it came into force in May 2018. If you haven't reviewed your practices since the new law came into force, you may be complying with outdated rules.
There's no specific article in the GDPR stating that an organization must conduct a data audit. But there's really no way to comply with any given part of the Regulation without knowing what personal data your company is processing.
The collecting, storing and transferring of personal data are legally-regulated acts. That might mean:
You need a lawful justification for doing any of these things.
Personal data is a very broad term, and you might be surprised how much it covers. Equally, there are some misunderstandings in the other direction - not all data is personal data.
The GDPR defines personal data as "any information relating to an identified or identifiable natural person."
Think of this as any information which might, directly or indirectly, lead to the identification of a natural person ("natural person" is an individual, rather than a "legal person" like a corporation). This includes your customers, employees, clients, and anyone else who comes into contact with your company.
Think beyond the obvious things such as a person's name and contact details.
All of these examples (biometric data, cookie data, location data) can be personal data under the GDPR, and you need to be aware of how you're processing them.
"Processing," by the way, basically means doing something to personal data. This includes collecting, receiving, storing, and transferring it.
A data audit should not be that hard if you approach it in an organized and systematic way. First, you need to "map" all the personal data your company processes.
Before you consider what types of personal data your company holds, it's worth considering how personal data flows into your systems in the first place.
Here are some examples of possible entry points:
|Emails and physical mail||Think about personal data present in correspondence to and from customers, and between employees.|
|Websites||Think in particular about error logs, and the destination of data received from web forms, chatbots, etc.|
|Analytics logs||Check your settings on any third-party analytics software you use. These will offer different levels of detail in their analysis that correspond to varying amounts of data collected from visitors.|
|Cookies||An audit of cookies that you use on your website can be very revealing. Create a list of third-party vendors. Consider the cookie consent mechanism you use (if any).|
|Apps||If your company provides a mobile or desktop app, these can transmit personal data in several ways. This can be data volunteered by the user, or data gathered from their device.|
|Third parties||You may be receiving personal data indirectly from other companies. This will be particularly relevant if your company acts as a data processor.|
|Social media||Facebook, Twitter, etc, are responsible for their own users' personal data. But if you extract any personal data from social media it could become your responsibility.|
|Feedback/research surveys||Data received via third-party survey sites such as SurveyMonkey can be your responsibility once it's in your possession.|
Notice how porous your company's "borders" can be. You might be gathering personal data in some ways without even realizing.
Now it's time to think about where personal data might be stored within your company.
Note that, again, we're carrying out this step before listing the types of personal data you hold. This is because thinking about the various potential locations of personal data within your company's infrastructure will prompt you to consider all the different types of data that might be present there.
Here are some possible locations:
|In electronic form on physical devices||Think about all the desktops, laptops, tablets and mobiles in your office (whether in-use or not). Also, consider USB drives and memory cards.|
|In electronic form on cloud servers||Most offices use cloud storage solutions such as Google Docs, Microsoft 365, or Adobe Creative Cloud. You're responsible for the personal data you store on these platforms, and how you restrict access to it.|
|In physical form||The GDPR covers any paper records containing personal data that "are contained or are intended to be contained in a filing system." Think about filing cabinets, boxes of customer data, printed customer lists, employee records.|
Personal data can hide in all sorts of unexpected places. Leave no stone unturned!
We've considered the broad definition of personal data above. Now it's time to apply this to your company.
With reference to the entry and storage points you've identified above, consider all the different types of personal data that enter your systems.
It's not possible to create an exhaustive list of the types of personal data. Here are some examples of information that can qualify:
Names of customers, clients, employees, contractors.
Names associated with corporations or legal persons (for example Calvin Klein as a brand name, or Robert Bateman Legal Writing Services as a company name) do not count in most contexts.
|Contact details||Mailing addresses, email addresses, telephone numbers, social media handles (in certain contexts)|
|Other designated identifiers||Social security numbers, passport numbers, licence plate numbers, unique reference numbers. Even where an identifier has been allocated to a person by your company it can still be personal data.|
|Online identifiers||IP addresses, cookies, Android or Apple IDs, usernames, cookies, data gathered from web beacons, analytics data such as timestamps and heatmaps|
|Data gathered from mobile devices||Location data (gathered via GPS or mobile/WiFi data), contact lists, messages, usage data|
|Employee records||Job applications, complaint files, salary, taxes, insurance, minutes from meetings, emails about an employee|
|Special category data||
Any information pertaining to a person's:
Note that many of these types of data might only be "personal" in certain contexts, ie where they relate, directly or indirectly, to an individual person.
By this point in the audit, you should know what personal data is processed by your company. Now you can determine whether you're GDPR compliant. This will allow you to cull unnecessary and unlawful personal data.
The GDPR's principle of purpose limitation requires that you only process personal data in connection with a specified purpose. You need a good reason to collect and store each item of personal data in your possession.
And the principle of data minimization requires that the amount of data you process must be limited to what is necessary.
Applying these two principles will require you to determine the purpose for which you're processing each item of personal data, and then erase any personal data you don't need in connection with a specific purpose.
Some purposes for which you might be processing personal data include:
|Storage in lists and databases||You may keep lists of customers, clients, and employees, such as mailing lists, payroll, customer databases for administrative purposes.|
|Contacting customers||Contact details can be stored and processed for the purposes of sending direct marketing via email or post, transactional/service emails, billing, or seeking feedback.|
|Monitoring of behavior||Marketing increasingly involves processing behavioral data for the purposes of ad targeting/retargeting, analyzing patterns of website use, conversion optimization or A/B testing.|
|Providing products and services||You may need to process personal data in order to carry out core aspects of your business including fulfilling orders, providing services, giving quotes.|
|HR and recruitment||You'll need to process personal data in order to recruit workers, pay salaries, and manage your workforce.|
|Maintaining security||You might need to protect your business buy logging IP addresses of website visitors (if you have reason to suspect a cyber-attack), maintaining a list of barred customers, or monitoring your premises via CCTV.|
If you don't need to process personal data in connection with a specific purpose, you're under an obligation not to do so. It's also likely to be a waste of resources.
If you are processing personal data without an appropriate lawful basis, you'll be in contravention of the GDPR.
You must make sure that you are processing all the personal data in your possession on one of the following lawful bases:
|Consent||You asked a person's permission to process their personal data (eg for direct marketing). They agreed. Consent under the GDPR must be freely given, specific, informed, unambiguous, and given via a clear, affirmative action.|
|Contract||You need to process someone's personal data to fulfill your obligations under a contract with them or in order to enter into a contract with them (eg to fulfill an order or provide a quote).|
|Legal obligation||You are required by law to process personal data (e.g. for tax purposes).|
|Vital interests||You need to process personal data to protect someone's life (eg in a medical emergency).|
|Public task||You're processing personal data in connection with a public task under official authority (eg town planning).|
|Legitimate interests||You have determined that your company has a legitimate interest in processing someone's personal data that outweighs the risks to their privacy (eg keeping records of correspondence with a person). You'll need to conduct a Legitimate Interests Assessment before you can rely on this lawful basis.|
If you don't have a lawful basis for processing personal data in a particular way, you must stop.
Another important principle of the GDPR is storage limitation. You must not store personal data for longer than you need it. And why would you? Accumulating more and more personal data is a recipe for a data breach.
It's a good idea to draw up a retention schedule. This serves as a guide to how long certain types of personal data are stored within your company.
Think of the storage period as a ticking clock. Different types of personal data will have different "trigger" events which start the clock ticking. The clock will tick for differing amounts of time for different types of personal data. Once the clock stops ticking, the data must be erased or reviewed.
|Type of data||Trigger||Storage period||Action||Justification|
|Customer contact details||Order fulfilled||3 years||Erase||Need to retain details in case of a refund request or complaint. Renewed contact unlikely after this period.|
|Customer email address||Purchase made||2 years||Review||Customer will be contacted with relevant marketing communications for a reasonable period after a purchase has been made. After this period we should check for further account activity and consider erasure.|
|Customer account username||Account closed||0 days||Erase||No requirement to retain username after account closure. Customer is informed that their account credentials will be erased.|
In certain sectors there will be a legal obligation to retain certain types of personal data for a predetermined period. You may also be able to justify retaining customer or client correspondence for quite a long time in case you need to defend against a potential legal claim.
Once you have decided on an appropriate storage period for various types of personal data, you can erase any old and unnecessary personal data in your possession.
What we've covered here should give you a good overview of what personal data is entering your company.
Data protection is highly context-specific. Depending on the nature of your business, you may need to consider other things, too. For example, the contracts you have in place with other companies who receive personal data from you, or how you manage personal data belonging to children.
Here's a simple data audit template that covers the points we've raised above, filled in with an example to show you how to fill out each field. You can expand on this to include further information that might be relevant to your sector. And remember that you may need more detailed records for certain purposes, such as a retention schedule.
|Type of data||Sources||Storage locations||Purpose||Lawful basis||Storage period (see retention schedule)|
|Customer email addresses||Newsletter signup webform, inbound emails, point of sale web form||Customer contact list on secure cloud drive, order fulfillment database on desktop B||Correspond with customers, direct marketing||
Transactional emails, correspond - legitimate interests
Direct marketing - consent
|Review 2 years from order fulfillment|
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.