DATA INVENTORY AUDIT POLICY
The GDPR contains explicit provisions about documenting your processing activities. [Organisation name] must maintain records on several things such as processing purposes, data sharing and retention.
[Organisation name] may be required to make the records available to the regulator on request. Documentation can help you comply with other aspects of the GDPR and improve your data governance. Controllers and processors both have documentation obligations. For small and medium-sized organisations, documentation requirements are limited to certain types of processing activities. Information audits or data-mapping exercises can feed into the documentation of your processing activities. Records must be kept in writing.
Data mapping is about knowing what data you have. In some cases you may also need do to a data processing impact assessment DPIA, based on the data-mapping. The data processing impact assessment DPIA is detailed in another document.
WHAT THE REGULATOR SAYS YOU SHOULD KNOW
| Categories of personal data and data subjects | List the categories of data subjects and personal data collected and retained e.g. current employee data retired employee data customer data (sales information) marketing database CCTV footage. |
| Elements of personal data included within each data category | List each type of personal data included within each category of personal data e.g. name, address, banking details, purchasing history, online browsing history, video and images. |
| Source of the personal data | List the source(s) of the personal data e.g. collected directly from individuals from third parties (if third party identify the data controller as this information will be necessary to meet obligations under Article 12 DPJL). |
| Purposes for which personal data is processed | Within each category of personal data list the purposes for the data is collected and retained e.g. marketing, service enhancement, research, product development, systems integrity, HR matters, advertising. |
| Legal basis for each processing purpose (non-special categories of personal data) | For each purpose that personal data is processed, list the legal basis on which it is based e.g. consent, contract, legal obligation (Schedule 2 DPJL). |
| Special categories of personal data | If special categories of personal data are collected and retained, set out details of the nature of the data e.g. health, genetic, biometric data |
| Legal basis for processing special categories of personal data | List the legal basis on which special categories of personal data are collected and retained e.g. explicit consent, legislative basis (Schedule 2 (Part 2) DPJL). |
| Retention period | For each category of personal data, list the period for which the data will be retained e.g. one month? one year? As a general rule data must be retained for no longer than is necessary for the purpose for which it was collected in the first place. |
| Action required to be compliant? | Identify actions that are required to ensure all personal data processing operations are compliant e.g. this may include deleting data where there is no further purpose for retention. |
INFORMATION THAT MUST BE RECORDED
Item 1) The name and contact details of your organisation (and where applicable, of other controllers, your representative and your data protection officer).
Item 2) The purposes of your processing.
Item 3) A description of the categories of individuals and categories of personal data.
Item 4) The categories of recipients of personal data.
Item 5) Details of your transfers to third countries including documenting the transfer mechanism safeguards in place.
Item 6) Retention schedules.
Item 7) A description of your technical and organisational security measures.
HOW THE DATA WILL BE USED
Good data-mapping, with careful planning of what information to capture can help identify all the information needed for
Item a) A Privacy Notice Or Privacy Statement
Item b) A Subject Access Request
Item c) A Breach Notification
Item d) A Data Processing Impact Assessment
Item f) Any Data Sharing Agreements
Item e) Any Processor-Controller Agreements
DETAIL OF WHAT SHOULD BE LOGGED
| INFORMATION RECORDED | OPTIONS OR CONTEXT NOTES |
| Organisation Name | |
| DPO Name | or nominated representative |
| Process | eg Recruitment |
| Purpose of Process | eg For hiring staff |
| Data Held | eg Name, Address, Phone, Email (there may be thousands of data types) |
| Legal Basis | Options: Consent, Contract, Legitimate Interests, Public Task (or any of the other prescribed legal options) |
| Data Subject Category | eg Customer, Supplier, Employee, Boat Owner, Shopper, Member (used when extracting all data relating to a type) |
| System/Location | eg Where the data is held (useful to responding to DSAR or Breach) |
| Date | eg When last input or updated (useful to keeping up to date and accurate) |
| Owner | eg Manager Name |
| Department | eg Department Name |
| Shared | Note of all organisations with whom the data is shared (with a copy of the data sharing agreement) |
| DPIA | Note of any DPIA assessment (with a copy of the DPIA) |
| How Acquired | Note of how the data was collected, eg bought mailing list, subscription, completed form, contract |
| Statutory Requirements | Note if the data is a statutory requirement eg used by Income Tax, Customs, Regulator |
| Data Retention | eg How long the data is held for |
| Data Security | eg What measures are in place to protect. |
| Automated Decisions | If any automated decision making is applied to the data (and if so details of the process) |
