Data PrivacyData Audit to a Robust Data Privacy Strategy

The bedrock of initiation of the preparation of the implementation of Data Privacy Strategy warrants a holistic “Data Audit,” before talking about Data Mapping at large.

The following process lays down the groundwork for a robust data protection strategy by highlighting the scope and nature of personal data collected and processed by the organization:

CONDUCTING A DATA AUDIT

APPROACH:

• Inventory Existing Data: Begin by listing all types of data currently held by the organization. This should include personal, sensitive, critical, children, etc., data.
• Data Sources Identification: Identify all sources from which data is received. This includes both digital (e.g., online forms, email, social media) and physical (e.g., paper forms, in-person interactions) sources.
• Data Entry Points Noting: Note down the physical and digital entry points for data into your system, such as through your website, mobile app, customer service desks, or in-person events.

DO’S:

• Comprehensive Inventory: Ensure that your data inventory categorizes data according to the DPDPA’s definitions and includes all possible data types.
• Diverse Source Inclusion: Include all conceivable data sources, paying special attention to less obvious ones like verbal data collection during customer service calls or data obtained through third parties.

DON’TS:

• Overlooking Offline Data Sources: Do not neglect offline data sources. Physical forms and direct customer interactions are often overlooked but can be significant sources of personal data.
• Assuming Uniformity in Data Collection: Avoid assuming that data collection methods are uniform across the organization. Different departments may have varied data collection practices.

EXAMPLES:

• Online Retailer: An online retailer may realize during their audit that they collect personal data through their e-commerce platform, email newsletters, and customer service chats. They might also receive data indirectly through third-party logistics services.
• Healthcare Provider: A hospital’s data audit could reveal that they collect patient data not only through their digital patient portal but also through physical forms during admission, and through verbal data collection in emergency situations.

IMPLEMENTATION:

• Documenting the Audit Findings: Maintain a record of the audit findings, categorizing the data based on sensitivity and the source of collection.
• Regular Updates: The data audit isn’t a one-time activity; it needs to be updated regularly to reflect new data sources or changes in data collection practices.

By thoroughly conducting a data audit, organizations can gain a comprehensive understanding of the data they handle, which is the first critical step in ensuring that a solid foundation is being laid down to further the intent of the DPDPA, 2023.

For any query or feedback, please feel free to get in touch with dataprivacy@amlegals.com or tanmay.banthia@amlegals.com or mridusha.guha@amlegals.com