July 24, 2024
The EU-US Data Privacy Framework: What You Need to Know
With the final approval of the EU-U.S. Data Privacy Framework, data can once again flow across the Atlantic. Learn more about the new rules at TrueVault.
Conducting a data audit is an essential input to your company's record keeping obligations under GDPR. But unfortunately, there is no uniform standard on what constitutes a ‘data audit’ and what does not. The process for conducting an audit will be slightly different for each organization, depending on the purpose of the audit and the nature of how personal data is collected and processed. Knowing how the output of a data audit will be used can help an organization inform the process and structure. However, conducting a data audit is incredibly insightful for an organization because it can provide insight into everything from data flows to unknown vulnerabilities.
And, once an organization has insight into where data lives within the data infrastructure, it will be far easier to fulfill GDPR obligations like Data Subject Access Requests, data minimization, and proving you follow best practices like security by design.
Traditionally, data audits have been done with giant spreadsheets that map out all of the systems (third party and internal) that an organization uses in conjunction with all of the classes of information stored in each system. Some companies have been known to take a systems first approach, others take a data first approach, while the more thorough companies do both approaches so they can slice their data however they need.
But, when push comes to shove, a data audit is really just one simple, tedious, task: Logging all of the data all of your systems have access to. This can be done manually or it can be done automatically with tools such as TrueVault Atlas.
The one big misconception about data audits is that completing one data audit is sufficient for compliance, when this couldn’t be further from the truth. Organizations are constantly adding new tools and leveraging different types of information, meaning the output of a data audit is constantly in flux. Whenever a new tool is adopted, it should be added to the data inventory.
The best practice is to check your company’s data inventory for accuracy quarterly, at minimum.
A Tip: Adding a ‘time’ dimension to your data audit can help make sure you are minimizing risk and complying with internal data retention policies.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.
