How to audit your data for the new GDPR

How to audit your data for the new GDPR

If you’re a business owner, then no doubt you’ve been busy preparing for GDPR, which came into effect on 25th May. The introduction of the new regulations provided businesses with the perfect opportunity to check over their data, company processes and marketing strategies.

It’s been stated that GDPR does not affect data pre-25th May, but after this time, you must follow the guidelines set out by the new regulations. If you are in the process of implementing new data management processes, you’ll need to ensure you audit all existing data first.

GDPR: A Quick Intro

The General Data Protection Regulation is the new mandate from the EU controlling how businesses in all sectors can collect, process, and use personal data.

It is now a legal requirement for any entity collecting personal data to follow the updated requirements that include:

  • Transparent documentation detailing data collection policies and intended usage;
  • Explicit consent from each individual whose data you collect and store;
  • Defined remedial measures should a data breach occur.

If you fail to adhere to the new regulations, you could face a fine of up to €20m; or 4% of your global annual turnover—whichever is greater.

Steps to Compliance

Auditing your data is a significant step towards compliance. So, appoint a Data Collection Officer and ensure they follow the following process to be sure you comply with the GDPR requirements.

First, understand the what, the how, and the where of your data collection and storage methods. You must be confident you only collect and hold relevant customer or client information – and that all the data is secure from a potential security breach.

And this focus on security is vital.

In the context of GDPR, the primary aspect of security should be on avoiding data silos – or situations where data may sit unprotected.

So, establish a process whereby data is securely maintained in a central repository: within a cloud-based CRM solution, for example, and that measures are in place should the data be copied on to a portable device, such as encrypted USBs.

The reason being, that losing data from a USB is considered a data breach in GDPR terms. Therefore, you could be liable for a fine. You must have a documented process which outlines how you will avoid such as mishap.

And the same can be said of any removable storage device, for that matter; even paper files.

If your business collects and processes personal data, then stores via any medium, you have an obligation to demonstrate you’ve taken the necessary measures to protect that data. This is not to suggest you cannot continue to use such storage methods, as often they are an effective means of avoiding ransomware, or other malicious, attacks.

However, given the strict requirements, you need to make sure all methods are compliant.

Tracking the usage of portable USB drives – even blocking data transfer – is one such means of compliance. Equally, encrypting the portable device is a viable option and guarantees only those with the right permissions or passwords can access sensitive data.

Once you have encrypted your data, theft or loss is no longer seen as a data breach under GDPR; instead, it is classified as a security issue. Thus, this avoids the need to report the incident to the authorities, and the risk of a substantial fine.

For more information on how to protect your data and to encrypt your USB devices, check out this useful guide >


Leave a Reply