GDPR Data Mapping / Audit
One of the key requirements for successful GDPR implementation is knowing exactly what data is held within your organisation and how secure is that data.
We will work with you to document how your data is structured, where it is held and how secure that data is.
This work is performed in three stages, the first stage is Data Discovery, the second is Data Mapping and the third is Data Audit.
Data Discovery involves documenting all of the data held within your organisation. An important point to remember when in the discovery phase is that GDPR applies to paper documents and to mobile phones and tablets just as much as it applies to your main computer records.
So while of course, your main computer systems are a good place to start, it is also essential to conduct a discovery exercise on any laptops used within your organisation to see how many instances exist of members of staff making their own 'local' copies of personal data. While these local copies should be discouraged (as they make responding to future data subject access requests more difficult), we recognise that there may well be situations where their existence is essential to ensure your organisation's smooth operation. This is fine and can be accommodated but it does need to be documented during the Data Mapping stage and suitable risk assessments are completed and documented.
Once the Data Discovery stage is complete, then the Data Mapping stage is where we document all of our findings from the Data Discovery stage.
This includes not just listing the data record schema and data fields, but also producing flow diagrams so that the journey of each piece of data through your organisation, from the moment it is created to the moment it is either archived or destroyed.
The final stage is to conduct a Data Audit. This essentially deals with security, but also deals with ease of access.
Security is considered in four forms:
At this stage, we document how easy or difficult it is for someone to gain physical access to your data. Examples might include, do you have lockable filing cabinets? how difficult is it to gain access to your computer servers (both on-site and 3rd party), is there a clear desk policy in place? and what fire precautions are in place.
This is a close look at your password policy. Are passwords strong? How often do passwords need to be changed? How strong do your passwords need to be? What procedures are in place for temporary staff and for recording when sensitive data is taken off-site. If you transfer data either within the EU or outside of the EU, this too is covered at this stage.
Is your computer data encrypted? What level of encryption is used and wherein the data process the data is encrypted. What about mobile devices, are they encrypted too?
Back up and Recovery
Where is your data backed up? How often is it backed up? Do you know how to restore the data and how/when has this been tested. Also taking into account the 'Right to be Forgotten', what procedures are in place to ensure this is observed following a restore from back-up.