Thought Leadership – The Value of a Personal Data Audit

In our series of Thought Leadership posts Reynold Leming, Managing Director of Informu Solutions Ltd explains the Value of a Personal Data Audit.



Undertaking an audit of personal data is an important step in readiness for the General Data Protection regulation (“GDPR”) coming to force on 25th May 2018.

Maintaining the privacy of individuals’ personal data, including consent and purpose limitation, fair and transparent processing, data minimisation and accuracy, data security and retention limitation, should be an important part of business as usual. This applies whether you are a controller and/or processor of personal data.

Personal data – by which an individual can be identified directly or indirectly – is contained in many of the records we keep and process for both operational and commercial purposes. A big issue is that this data sits in many medium and locations. It could be document, messaging, AV, graphical, web or database content, across corporate physical filing, offsite archives, the corporate digital estate, the cloud, with suppliers, partners or outsourced vendors.

In order to be accountable and apply suitable governance to personal data, an organisation must fully identify and understand the personal data it processes. We therefore need to understand a range of information about personal data: its source, its categorisation in terms of types of data and data subject, its ownership and use, the legal and business purposes of the processing, sharing and transfer arrangements, retention and disposal practices, and the technical and organisational security measures in place to protect personal data.

This of course seems like a daunting task! However, if you get the level at which you identify and describe personal data as an “information asset” correct, then it should not be too arduous.

To quote from The National Archives, “Assessing every individual file, database entry or piece of information isn’t realistic. You need to group your information into manageable portions”. They state that: “An information asset is a body of information, defined and managed as a single unit so it can be understood, shared, protected and exploited effectively”. Fundamentally it is a group of stuff that shares the same purpose, profile and finality. In other words many instances of the same file type are just one asset.

Each information owner or administrator within an organisation can hopefully, with suitable guidance, instruction and audit templates, relatively quickly identify the information sets containing personal data for which they are responsible.

This will lead to a range of beneficial outcomes in terms of GDPR readiness and compliance, including:

  • Creating and maintaining GDPR Article 30 Records of “Records of processing activities”
  • The update of privacy notices
  • Meeting retention and disposal principles
  • Addressing security and business continuity risks
  • Responding to Data Subject requests (e.g. for information, access, objection, restriction, data portability, rectification or erasure)
  • Updating sharing agreements and contracts
  • Identifying processes for Data Protection Impact Assessments

Box-it has developed a range of services and tools to help you design, plan and execute an audit, as well as subsequently keep the audit data within an Information Asset Register for maintenance, analysis and reporting.