GDPR Data Audit

This page is part of our guidance to help parishes get ready for and comply with the “General Data Protection Regulation”. It’s helpful to start by carrying out a data audit – you may be surprised at just how much personal data is stored and processed around the parish.

We’ve produced a template to help you do this:

dataaudit

Carrying out a Data Audit

Here are some questions to help you carry out your audit:

  • What kind of data is being collected and stored, where and why?
  • Which different church groups might store their own data? Make sure you cover them.
  • How is the data used (i.e. processed) both internally and externally?
  • How long is the data retained?
  • Who has access to the data both inside and outside of the business?
  • What procedures and controls are in place to keep data safe?

It’s likely that your audit will identify some areas where your current data systems or processes are not compliant with the GDPR, and so the final column enables you to identify action that might be required. In some cases, you might decide that data is no longer needed to be held and processed, in other cases, it might be changes to how you store the data or who has access to it.  For a number of cases you may need to clarify in your data privacy policy how you are storing and using the data.

Finally three tips:

  • Start sooner rather than later. Although the GDPR doesn’t take effect until May 2018, it’s good to get on top of this early.
  • Inform people what is going on, and why – this will help them to understand why you are asking questions. You might find the two page PCC guide a helpful background note.
  • Although the parish might appoint someone to lead on this, for larger and more complex parishes a small team might be helpful.