We're making improvements to our website and we'd love to hear your thoughts.
Please take five minutes to complete this survey to give your feedback.
You should organise an information audit across your business or within particular areas. One person with in-depth knowledge of your working practices may be able to do this.
This will identify the data that you process and how it flows into, through and out of your business, for example to any agreed sub processors or back to the controller.
Remember, an information flow can include a transfer of information from one location to another. For example, the information may stay within your business yet a transfer takes place because the department or other office is located elsewhere (off site).
Having audited your information, you should then be able to identify any risks.
Once you have completed your information audit, you should document your findings, for example in an information asset register.
Doing this will also help you to comply with the UK GDPR’s accountability principle, which requires you to show how you comply with the UK GDPR principles, for example by having effective procedures and guidance for staff.
You must record:
If you have less than 250 employees you only need to keep these records for processing activities that:
You may be required to make these records available to the ICO on request.