After the data map, now Privacy impact Assessment.
So, you have finally gone through the eye-opening process of working out what data you hold and maybe where it is located (see previous series). That may have been a scary process just realising how much information
has been collected. If you ever get a “subject access request” to delete a person’s information, how long would that process take? Someone would have to go through all the different databases, check the paper records (and archives) and don’t even mention emails. As painful as producing a data map might be, at least you know where different information is held. Now comes the task of testing the current system to check for weakness’s and potential consequences if a breach where to occur. It’s a type of fire drill for your data. The exercise should highlight areas that need improving and develop a planned response for that eventuality. This process is called a Privacy Impact Assessment.
There is no legal requirement to produce this, but it is highly recommended by the ICO as it proves an organisation due diligence in preparing for the eventuality of a data breach. This would be included as part of the documentation you would be required if ever investigated for your compliance responsibilities.
Looking at the map you have created, now you need to revisit the schematic with a view to “what have we got”, “how secure is it” and “what are the consequences of if it was released into the public domain?” This means classifying the data in terms of whether it is considered to be “sensitive” data? For the full list with explanations see our FAQ section.
Next in the series. Privacy Impact Assessment, how to classify data.