How do I conduct a GDPR data audit?
Conducting a data audit is an essential input to your company's record keeping obligations under GDPR. But unfortunately, there is no uniform standard on what constitutes a ‘data audit’ and what does not. The process for conducting an audit will be slightly different for each organization, depending on the purpose of the audit and the nature of how personal data is collected and processed. Knowing how the output of a data audit will be used can help an organization inform the process and structure. However, conducting a data audit is incredibly insightful for an organization because it can provide insight into everything from data flows to unknown vulnerabilities.
And, once an organization has insight into where data lives within the data infrastructure, it will be far easier to fulfill GDPR obligations like Data Subject Access Requests, data minimization, and proving you follow best practices like security by design.
Traditionally, data audits have been done with giant spreadsheets that map out all of the systems (third party and internal) that an organization uses in conjunction with all of the classes of information stored in each system. Some companies have been known to take a systems first approach, others take a data first approach, while the more thorough companies do both approaches so they can slice their data however they need.
But, when push comes to shove, a data audit is really just one simple, tedious, task: Logging all of the data all of your systems have access to. This can be done manually or it can be done automatically with tools such as TrueVault Atlas.
The one big misconception about data audits is that completing one data audit is sufficient for compliance, when this couldn’t be further from the truth. Organizations are constantly adding new tools and leveraging different types of information, meaning the output of a data audit is constantly in flux. Whenever a new tool is adopted, it should be added to the data inventory.
The best practice is to check your company’s data inventory for accuracy quarterly, at minimum.
A Tip: Adding a ‘time’ dimension to your data audit can help make sure you are minimizing risk and complying with internal data retention policies.
Get started on your data audit with our GDPR Checklist.