Every organization must know what kind of data it processes and controls
Refer to GDPR online Data audit template walkthrough at the end of the page, or follow the template.
What DATA?
Begin the online GDPR data audit.
Check and complete the online GDPR data audit sheet precisely.
‘personal data definition’ ⇒ any information relating to an identified or identifiable natural person (‘data subject’)
Art IV (1) Definitions
Personal details
(name, adress, birthdate, email, phone number…)Family information
Education/training
Employment details
Financial details
(bank account, id nr, credit card…)Goods or services provided
Racial and/or ethnic origin
Political beliefs
Religion
Phisical/mental health
Criminal records
Data Subject
Who is the data about?
‘data subject’ ⇒ an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Art IV (1) Definitions
Staff, Agents, Workers
Customers, Clients
Suppliers
Members
Complaints, letters, correspondence
Relatives, associates of Data Subject
Advisors, consultants, experts
Other:
Source of Data
Did you obtain the data directly from the Data Subject or from others?
Data Subject
3rd Party:
Format of Data
Computer
Paper
Photo
Other:
Legal basis of processing the Data
Consent
Given by Data SubjectLegitimate interest
(processing for the purposes of the legitimate interests pursued by the controller or by a third party, except where these interests are overridden by the interests or fundamental rights and freedoms of the data subject)Performance of a contract
Legal obligation
(employment, payroll…)
When do you collect the Data?
When do you capture the Data?
Where do you intend to transfer the captured Data?
Under what circumstances is the transfer taking place?
For how long do you retain it? (month, years, specific regulation…)
Storage and processing.
Paper based records.
Location of storage:
Location of processing:
Note | Please specify at least the region of the location, but you can detail as needed. |
Storage of paper based records. (in file cabinets, storage, boxes, locked away, restricted access…)
Digital records.
Location of storage:
inhouse server
cloud server
EU
NON EU
remote location
backup disks
Location of processing:
What applications we use to process Data. (HR software, Payroll software…)
offline installed software
cloud based applications
remote appllications
Email system
Where are these hosted?
EU
NON EU
⇒ Security of the systems we use. ⇐
Password authentication
U2f login
Data protection by design
Documentation on processing activities
Secure storage
Locked entry
Anonymization
Pseudonymization
Encryption of data
Data audit at fixed intervals
Written agreements, contracts with standard contractual clauses
Confidentiality
Other:
What processing, the purpose of processing?
Client administration
Marketing
Provision of goods and services
Legal obligations
Employee administration
Monitoring
Profiling
Processing for 3rd party
Payments
Other:
Whose Data?
Clients (current, former, potential)
Subscribers (if we do have such)
Business contacts, suppliers
Staff (current, former, potential)
Members
Partners
Relatives
Who has access to Data? (recipients)
How and under what circumstances? (describe the security and the process)
What do they see?
Is this access tracked?
No
Yes, describe:
Please select
Employees/agents of Data Controller
Suppliers, providers of goods and services
Other companies from group
Individuals making requests/complaints
Data Processors
Fnancial organisations
Organisations, Authorities imposed by law (including government, police, audits …)
Other:
Tip | Data controllers will be required to maintain their own internal records of their processing activities for on demand disclosure by the authorities and for understanding the data lifecycle throughout the business. |
Document last modified by Easy-Payroll // 2019-02-18 // Please consider the environment before printing (print to pdf). // © Easy-Payroll Germany
GDPR online Data audit template walkthrough
We created this data mapping template as a solution to ease the EU GDPR compliance.
You may add this inventory template to your favorites as a data mapping tool for further use.
What is data mapping? The general data protection regulation clearly states that each 'data controller' and 'data processor' must have a data audit methodology to asses the personal data it collects and uses. If you are a data protection officer you can consider it as a personal data inventory map. As we know the GDPR EU (EU general data protection regulation) has set firm standards for individual’s personal data protection.
You can find information on the internet regarding the types of data security which you can implement to protect 'personal data' throughout any data management plan, most of them listed in this online GDPR data audit template.
One crucial implementation to be in compliance for companies and businesses is 'privacy by design' as this will prevent a data protection breach in most cases. The data protection act may be a huge headache to go through but it is a must and should be an important 'RULE' to follow for every organisation and even for US companies as many of them work throughout Europe. They may not have any audit requirements but using a GDPR checklist template can further ease the process of a data protection impact assessment by presenting the information in clean form. If you read the basics click to start New Online Data Audit with our data inventory sheet.
If you find our Online GDPR Data Audit Tool and/or information useful please share it with others, Thank you!