Preparatory audit of data for GDPR

Being able to comply with the GDPR by May 2018 requires preparation.  If you have not yet started preparing, it is imperative that you do so now.

First, you need to understand the life cycle of all categories of data within your business.  This means collaborating with the business leads across your organisation (such as the head of your HR, IT and Business Development teams), to identify:

the entry point: what personal data you collect, where and who it comes from, how it comes into your organisation and why you are receiving it

the process: where the data goes and what happens to it while it is in your organisation – where and how is it stored, who has access to it and why (is anything superfluous)?

the inputs: what additional data is added from internal and external sources to the data you receive, who does it and why?  Is any of this additional data inferred through profiling or similar means?

the outputs: what will be produced with the data in terms of reports and other outputs?

the exit point: when and how is the data deleted or exported from the organisation?  If it is exported to a third party – who are they, what is the basis for the data being exported, and how and why will the third party process it?

Once you have mapped this information:

- you will be able to start to identify what has to change to enable you to comply with the GDPR

- you should document and keep the results to demonstrate what you have done to collate the information needed to underpin the development of your new data governance strategy.

About Ogier

Ogier provides practical advice on BVI, Cayman Islands, Guernsey, Jersey and Luxembourg law through its global network of offices. Ours is the only firm to advise on these five laws. We regularly win awards for the quality of our client service, our work and our people.

Disclaimer

This client briefing has been prepared for clients and professional associates of Ogier. The information and expressions of opinion which it contains are not intended to be a comprehensive study or to provide legal advice and should not be treated as a substitute for specific advice concerning individual situations.

Regulatory information can be found at www.ogier.com

ogier.com