How to conduct a data risk assessment for GDPR


On 25 May GDPR will come into effect and replace the existing Data Protection Act. If your organisation is unsure where to start with ensuring you are GDPR compliant, we’ve put together some practical steps you could be taking. The following process will help you conduct a data risk assessment.

Step 1 – What data are you holding?

Investigate what data you are holding – it may include data on staff, suppliers, clients, customers and 3rd parties. Once you know what data you are holding, you can assess what elements fall under GDPR, what format you are holding it in (electronic or hardcopy) and if you still require all the data you are holding.

Step 2 – How do you collect the data you are holding?

Look at how you collect the data you hold, eg is it being pulled from web enquiry forms, new contracts, or mailing lists? Are you collecting the information you actually need or is any of it being collected unnecessarily? What information do you need to supply at the data collection stage to the individual whose data you are collecting?

Step 3 – Where do you hold the data and for how long?

Many businesses hold data in a variety of places, and may have both electronic and hard copies of data. Think about how secure the software is that is holding your information, who is responsible for updating the software? Is data security regularly monitored and updated, is it designed with privacy in mind, is the solution appropriate to the risk? Do you have a procedure in place for responding to data requests?

Step 4 – Who has access to your data?

Think about which of your users has access to data and how data is accessed – what is your policy on the use of mobile devices or personal devices? Is it relevant to think about access controls, ID management, application & network access? Who has responsibility for ongoing maintenance of your data? Ensure that employees are aware of their responsibilities regarding security.

Step 5 – What is your data used for?

Be clear on why you are collecting and holding data – what is it used for? Is it being obtained for lawful and fair purposes? You may need to look at revising your privacy notices.

Step 6 – Where and how is your data transferred?

Look at where and how your data is transferred both internally and outside your organisation. How secure is the process and who is involved?

Step 7 – How is data deleted or destroyed?

Think about how to track when the data is obsolete and put a procedure in place to ensure the data is deleted in a secure manner. Does that data have to be destroyed in more than one location?

If you have any questions regarding the security of data, back up solutions or data management, please contact us for a consultation.

Detailed information on GDPR can be found on the ICO website. There are some useful ICO self assessment checklists to get you started on