As a brief recap of our first post in this series, the GDPR defines personal data and sets forth guidelines for how it can be used. The three primary concepts of these guidelines are: required consent for use of personal data; full transparency in case of a data breach; and the right to access, correct, port and erase one’s own personal data from any database.
The regulations are intended to protect all EU citizens. That means if you collect any data on any EU citizen you are subject to the GDPR. However, even if your business is not subject to the GDPR, the application of its privacy protection principles may improve privacy and data security for your business. The key changes that will affect businesses can be found here.
The value of a data audit
In today’s post we’ll discuss the importance of conducting a data audit to prepare your business and ensure peace of mind should you be required to demonstrate compliance.
At Hush, we have been advocating for businesses to conduct risk assessments to protect themselves from possible security breaches. The concept of the data audit is similar. By creating a clear picture of exactly how your business handles personal data, you’ll be prepared to demonstrate GDPR compliance in case of an official audit. Again, the concept is simple: Know what type of data you’re collecting; know where it’s stored; know what it’s used for; and know who has access to it and that it is secure.
In case of a GDPR audit, a comprehensive data record that you’ve constructed through an internal data audit will demonstrate the efforts your business has made to become compliant.
Let’s look at the steps of a very basic data audit in a little more detail.
- What type of data does your company hold? Be as specific as possible. Is it sensitive data such as health records; children’s data; or personal information such as political or religious affiliations? After you conduct a data audit it should be easy to describe this data in just a few words.
- Where is it stored? Again, specificity here is important. Start with asking your IT department where your data systems such as Enterprise Resource Planning (ERP), Customer Relationship Management (CRM), and Human Resources (HR) systems reside. Be sure to request the addition of any other systems used by your business that house data.You may be surprised to find out there are systems within systems you don’t know about.
- What is the data used for? When data is collected from a private individual, the GDPR requires that they be informed in clear terms exactly what their data will be used for, and they must give active consent for that specific use. Use specific terms to describe this use in your audit such as “email for weekly newsletter distribution.” Simply stating “for communication” won’t hold up well under official GDPR scrutiny.
- Who has access to your data? This is likely to become a multi-level question as you dissect the path any one piece of data takes through your company. Start at the top where the data first arrives and ask what it’s used for as many times as necessary to track every system it enters. Knowing exactly who is handling the data, when, and where will be necessary when responding to the GDPR requirement of full disclosure in case of a data breach.
You will likely find that these steps show that your business is already close to being GDPR compliant in most areas and requires only simple clarifications and consents. However, you will also likely find some areas where your knowledge about your businesses data is insufficient. The GDPR provides a valuable opportunity to make the clarifications necessary to present a clear picture of exactly where your data is going.
Consequences of non-compliance
Non-compliance can result in some hefty fines, so due diligence to meet these standards is advisable. Compliance will be demonstrated through internal record keeping requirements.
If all of this sounds complicated, you can relax a little. While it’s true that your business may need to take action to ensure compliance, the purpose of the GDPR is fairly straightforward — to keep track of data coming in and out of a business and to ensure that it is being used for the purposes the data owner has consented to.
The protection of your customers’ and clients’ data is also a protection for your company. In an era of increasing cyber attacks and data leaks, knowing exactly where your data is at all times and having processes in place to ensure it’s being used for the right reasons will give you the ability to thwart attacks, prevent leaks and respond quickly and efficiently in case there is a breach. This is all good for consumer confidence, your brand, and the future of your business.