The GDPR will significantly increase the obligations and responsibilities in how you collect, use and protect personal data for your business. You must be fully transparent about how you are using and protecting personal data. You will need to demonstrate accountability for your data processing activities.
With this in mind, the fastest way to accomplish this is to review and improve your existing processes; security platforms and procedures; tools and apps used; and business transactions.
By running an Audit, you will identify areas that could cause compliance issues under the GDPR. To help you with this, here are some examples of what can happen in a standard business.
GDPR Data Inventory
Some reasons why you might collect data:
- Client administration (contracts, quotes, invoicing, etc.)
- Direct Marketing (newsletters, marketing emails, postal etc.)
- Sale of goods or services (including free goods/services)
- Legal obligations (you are required by certain Gov. departments)
- Employee administration (contracts, salaries, payslips, etc.)
- Monitoring (CCTV, web history, apps, cookies, etc.)
- Profiling of personal data
- Processing for a third party
Some people you might collect data from:
- Clients and prospects (current, former)
- Business Contacts or Suppliers
- Staff (current, former or potential)
Types of data you might collect:
Identify the type of personal data that you process, where you sourced it from and what was the legal basis for processing.
- Personal data: name, address, occupation, e-mail, phone number, gender, DOB, social security number, IP address, etc.
- Special or sensitive data: ethnic/racial origin, religious beliefs, health, sexual orientation, etc.
- Financial data: account number, credit card details, etc.
Other specific data that may relate to your business:
- Anti-Money Laundering information (photo ID, proof of address, source of funds)
- CCTV, photo or audio recordings
- Biometric information – DNA, retina scan, fingerprint
- Criminal convictions or list of offences.
Where your data can come from (source):
- The data subject (client, prospect, subscriber, member, etc.)
- A data controller (sharing with you, as a data processor)
- Social Media platform (Facebook, LinkedIn, etc.)
- Company Website (Enquiry/Contact form, etc.)
- Paper enquiry forms and questionnaires
- Business cards
- Credit check
- Government department
Legal basis for collecting data:
- Consent (must be obtained at the point of collection)
- Legitimate interests (these must be specified at point of collection)
- Performance of a contract
- Legal obligation (specify)
- Lawful undertaking of a public body (specify)
- Vital interests (the processing is necessary to protect someone’s life).
Consider when the data is being collected and for how long it is being stored:
- When did you capture or update the personal data?
- Have you stated to whom the personal data may be disclosed and under what circumstances?
- How long will the personal data be kept and how has this period been determined (bearing in mind your statutory and fiscal obligations)?
Consider where the data is being processed and stored:
- Where your paper-based records are stored and processed (and if they are they secure and safe)
- Where your digital records are stored (PC/desktop, in-house file server, cloud storage (EEA or non-EEA based), backup servers and disks, remote/mobile devices)
- What format the digital records are stored in (database, spreadsheet, document, video file, etc.)
- What applications process the data (e-mail management system, CRM, etc.) – also if these platforms are hosted within the EEA.
Documenting your processes
It’s a good idea to create documentation of your data collection and processing activities. This will help demonstrate your desire to be and remain compliant. I have a data inventory workbook available as part of my GDPR Smart Guide, along with some checklists to help on your GDPR journey.
This is the last post in the 10-Part GDPR Series. If you would like further in-depth information on the GDPR please feel free to download my comprehensive Guide to GDPR. You will also receive limited follow-up support and gain access to a DATA AUDIT WORKBOOK, a CONSENT CHECKLIST and a GDPR CHECKLIST.
If you wish to speed up your GDPR journey and guarantee compliance, please check out my GDPR Assistance Packages.
Previous Post – GDPR Part 9 – Data Processing
Please note: The series of articles on this blog do not promise to be either a full synopsis or full interpretation of the GDPR. Indeed I have simply taken the most important aspects of the GDPR I feel are relevant to the small business owner. Everything you read online about the GDPR will be some kind of an interpretation, synopsis or summary of the GDPR, unless you read the full text in itself.