GDPR Article 30 requires that companies maintain precise records of all data processing activities, which includes a data audit. But just like there is no uniform standard on what constitutes a data audit, there is no uniform standard as to how to structure the output of a data audit under GDPR. Instead, we encourage companies to assess the quality of a data audit through the lens of a compliance professional. Would a compliance professional believe that your team is taking reasonable efforts to track data inventory if they saw the output of the data audit?
Still confused? Here’s a place to start:
If this question is unclear, here are some follow-on questions for internal compliance folks that can help guide your thinking about conducting a data audit for your organization:
- Is every third party system your organization uses logged in the inventory?
- Is all the data included in every third party system also logged in the inventory?
- Is every internal database logged in the inventory?
- Is all the data included in the internal database also logged in the inventory?
- Does your organization review the data inventory annually, at the minimum?
- Does your organization also log of any and all changes to the inventory?
- Do you know the original origin of every data record included in the inventory?
If you can answer “yes” to the questions above, you’re probably on track. If not here is a place to get started.
Learn more with our GDPR e-book.
