What is the recommended 3-step approach from the ICO for carrying out an Information Audit?

The Information Commissioner’s Office recommend that once you have a basic idea of what personal data you have and where it is held, you will be in good position to begin documenting the information you must record under the GDPR.

The ICO says “It is up to you how you do this, but we think these three steps will help you get there:”

  1. Devise a questionnaire – you can distribute this to the areas of the organisation you have identified as processing personal data. Use straightforward (jargon-free) questions that will prompt answers to the areas requiring documentation.

Example questions

  • Why do you use personal data?
  • Who do you hold information about?
  • What information do you hold about them?
  • Who do you share it with?
  • How long do you hold it for?
  • How do you keep it safe?
  1. Meet directly with key business functions – this will help you gain a better understanding of how certain parts of your organisation use data.

Example business functions

  • IT staff can help answer questions about technical security measures.
  • Information governance staff should be able to provide information on retention periods.
  • Legal and compliance staff may hold details of any data-sharing arrangements.
  1. Locate and review policies, procedures, contracts and agreements – as well as feeding directly into the documentation exercise, this can help you compare and contrast intended and actual data processing activities.

Example documents

  • Privacy policies
  • Data protection policies
  • Data retention policies
  • Data security policies
  • System use procedures
  • Data processor contracts
  • Data sharing agreements