GDPR Information Audit – how we can help

The GDPR requires you to document the types of personal information you hold and what you do with it. This article outlines the responsibilities and describes an Excel template we have developed to hold the information.

The General Data Protection Regulations (GDPR) and the associated Data Protection Bill are about respecting individuals’ fundamental rights and freedoms, in particular their right to the protection of personal data. The obligations regarding the protection and processing of personal data apply to all organisations that hold personal data – commercial and non-profits – big and small.

Naturally it’s difficult to protect an individual’s data if you are unsure of what data you hold, how you hold it, where it came from, how you keep it updated and who you share it with.

The Information Commissioner recommends organisations conduct an information audit to find out and document the personal data you have and, article 30 of the regulations requires you to maintain a record of processing activities under your responsibility. This article describes the type of information you (as a data controller) might be holding and the range of processing activities you need to document. We conclude with an overview of the Excel workbook we have developed to help you marshal the required information.

Documenting the personal data you hold

The regulations require the following information to be documented:

  • the name and contact details of the controller, i.e. the name of your organisation, the name of a third party you may be working with that jointly controls personal data and the person responsible for data protection in your organisation.
  • the purposes of the processing, such as payroll, staff management, recruitment, direct marketing, sales etc;
  • a description of the categories of individuals and of the categories of personal data. The various categories of individual whose personal data you hold could include staff, volunteers, prospective candidates, prospects, customers and business partners. Categories of personal data for staff could include contacts, pay, tax, bank account, pension, holiday, and contract details and for customers could include contact and contract details, purchase history and lifestyle.
  • the categories of organisation with whom the personal data have been or will be shared including those in third countries or international organisations. Recipients could be HMRC, employment referees, or processors such as accountants or marketing companies.
  • where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, the documentation of suitable safeguards;
  • where possible, the duration you expect to keep the data for prior to deletion for the each category of data you hold. Examples include retaining information for HMRC and pension records for 6 years post-employment or customer information until end of the relationship;
  • where possible, a general description of the technical and organisational security measures. This could include things such as encryption and / or access controls.

In addition, the ICO suggests that you include other required information in this database as below. However, we suggest you add this as you proceed through your GDPR preparation tasks.

  • The basis you have chosen for lawful processing against each category of data;
  • The lawful basis for processing any special categories of data;
  • Whether a Legitimate Interest Assessment is required and has been conducted;
  • How individuals’ rights apply to each processing category;
  • Whether Data Privacy Impact Assessments are required and or / completed;
  • The location of where data is stored.

A good way to assemble all this information is to bring it together in a spreadsheet. You will then have a database that clearly records your activities under the GDPR as a means of delivering on your regulatory responsibilities.

How we can help

We have developed an Excel template for the database complete with guidance and examples on how to fill in the information and links to relevant sections of the regulations. We do know this can appear an awesome task, so we would be delighted to offer a helping hand as you go through the process.


About Us

We provide supportive leadership enabling our business community to succeed and prosper through effective use of IT and Technology. PAAC IT is an IT Company in Surrey offering small businesses the personal attention and care that their IT systems deserve. If your company has between 1 and 100 employees and need a IT Company in Surrey we would love to hear from you!

Find out more
"PAAC IT provide a managed service for our PCs on a fixed monthly charge. Really great, they are there when we need them"
Julia Macquisten - OwnerLucas Field Media
"PAAC-IT provide and maintain our Apple Macs and Macbook Pros. Richard and his team at PAAC IT are very prompt and responsive when we need help, and a pleasure to work with"
David Alden - DirectorAlden Holmes
"Our business is highly dependent on computer technology – all the way from design and creative software platforms to administration processes. PAAC-IT set up and configured our mix of PC and Apple computers, file servers and security software and now keep it running. The team at PAAC-IT is very competent and keep our IT running smoothly"
Edward Green - DirectorMilly Green
"I was having trouble making Skype calls to my son. Both Darren and Connor were extremely helpful and patient. They were so kind to get the computer in and out of the car for me - i couldn't have done this on my own as i am disabled"
Jane Nightingale
"On moving house we required help of PAAC to coordinate a tablet, PC and laptop with new security and email addresses and to ensure transfer of old contact details etc. Some of this work was undertaken by Darren in the Midhurst shop and some at our new address. Darren was professional and helpful with successful results. PAAC also followed up with care to ensure that all was well. "
A satisfied customer
"I have been dealing with PAAC IT, mostly in their Midhurst Office, but also in Haslemere, for the past three or four years. They clearly understand Macs and have given me good advice, and sorted out various issues for me. Things did go wrong with the network wireless adapters I had bought from them, but they were quick to ensure they were checked and replaced without a problem, and they followed up with me a month later to ensure all was OK. That’s good customer service!"
James Tree
"Dynamite, goes the extra yard every time, reliable and essential support to my business."
Lawrence MullenThe Talking Trade
"Good, dependable, brilliant, local"
Anneke Clegg
"I have been using the services of PAAC IT for over two years. During this time I have found the staff to be courteous, understanding, and very efficient. I have received first class service on each and every occasion – from keeping my ancient computer running, to advising and supplying a suitable replacement when it eventually crashed. All my transactions have been with the team in the Haslemere shop where Richard, Mark, Darren and Oliver have addressed my computer difficulties with great patience and kindness. To them I am eternally grateful."
Derek Smyth