An essential factor in achieving compliance with the GDPR is ensuring that you understand the personal data held by your organisation; where it came from, how you process it and what you use it for, who you share it with and where in the world it goes!
Without this fundamental basic understanding and knowledge capture you will not be able to assess your main risk areas in terms of GDPR compliance.
This month, we recommend that you undertake a comprehensive personal data inventory collecting this information from all the various departments within your organisation, such as finance, sales, marketing, HR and IT, which may be holding and processing personal or sensitive (special category) data.
At the end of this exercise you should understand the categories of personal data you hold, the purposes for which the data is held and the flow of personal data through your organisation. If, when analysing where personal data is sent, in terms of third parties, processors and geographical locations you establish that some personal data is sent outside the EEA, for example, if your organisation uses cloud storage which is based outside the EEA, then specific consideration must be given to the adequacy of protection for data subjects.
Your data inventory will also provide the basis for your organisation’s data record (if you are required to maintain records under the GDPR).
If you require guidance on how to undertake your data inventory we can assist you with a scoping meeting and a Data Inventory & Flow Precedent
and guidance note to get you started. These will help you ensure that you’re asking the right questions about your data. If you think either of these products would be helpful to your organisation please get in touch.
If you would like any further information about the GDPR and how it might affect your business please download our Geldards Guide or if you would like to discuss how Geldards can help with training on the GDPR, please do not hesitate to contact our Information Law Team.
INFORMATION LAW >>GELDARDS GUIDE TO GDPR >> EMPLOYMENT >>