Conducting a data audit is the first step to understanding your data landscape, ensure compliance with regulations like GDPR, and identifying risks related to data protection. Many schools and MATs use external auditors however if you prefer to do your own, our handy step-by-step guide will help you carry out a thorough internal data audit.
If you are using our GDPRiS platform to manage data protection, our internal auditing tool and RoPA will make this task much easier.
Identify your objectives: Clarify the goals of the audit, such as compliance with GDPR, identifying sensitive data, or assessing data management practices.
Determine the scope: Decide which departments, types of data, and systems will be included in the audit. This could involve looking at both digital and physical records.
Select team members: Form a team that includes staff from IT, administration, your data protection officer, and relevant stakeholders.
Assign roles and responsibilities: Clearly define the roles of each team member and what they will be responsible for during the audit process.
Catalogue data sources: List all data sources, including databases, files, applications, software and systems and don’t forget your paper records. Ensure you cover both structured data (databases) and unstructured data (documents, emails).
Identify data types: Classify the types of data you hold, such as personal data (student information, staff records), financial data, and administrative data.
Document data collection methods: Analyse how data is collected (e.g. forms, software applications) and the purpose for which it is collected and your legal basis for processing the data.
Consent: On the whole schools, as public authorities, do not rely on consent however where consent is required, ensure that your methods for obtaining consent align with legal requirements, especially when handling sensitive data about children.
Examine how you store data: Look at where and how data is stored, including cloud services, local servers, and physical file cabinets.
Access control review: Assess who has access to the data and whether appropriate access controls (e.g. role-based permissions) are in place.
Review data usage: Identify how data is used within your organisation, including what data is shared with third parties and for what purpose.
Assess third-party relationships: Evaluate data sharing agreements with third parties to ensure they comply with your data protection policies and regulations.
Conduct a risk assessment: Undertake a Data Protection Impact Assessment (DPIA) to help identify potential risks related to the systems you use. Identify other risks to data protection, such as unauthorised access, data breaches, and non-compliance with regulations.
Highlight gaps: Look for areas where data management practices do not meet your legal or organisational standards.
Produce an audit report: Summarise your findings in a clear and structured audit report. Include details about data types, storage methods, access controls, risks identified, and any non-compliance issues.
Use visual tools: Create charts, diagrams, or tables to present your findings in a visually understandable manner.
Prioritise actions: Based on the audit findings, identify immediate and long-term actions needed to address any gaps or risks.
Set deadlines and responsibilities: Assign specific tasks to team members with clear deadlines for completion.
Execute your action plan: Implement the changes identified in your action plan to enhance data protection and compliance.
Establish ongoing monitoring: Set up processes for regular monitoring and review of data practices to ensure continuous compliance and improvement. Remember compliance with data protection law and the GDPR is an on-going journey.
Share your findings: Communicate the results of the audit with relevant stakeholders, including management, staff, and, if appropriate, parents or guardians.
Provide training: Conduct training sessions based on the audit findings to educate staff about data protection responsibilities and best practices.
Conducting a data audit is an important process for any organisation to ensure the responsible management of sensitive information. By following the above steps, you will gain a comprehensive understanding of your school’s data landscape, improve data protection measures, and ultimately foster a culture of compliance and accountability.
Regular audits should be a part of your ongoing commitment to data protection. If you're looking for a platform that can easily manage an internal data protection audit, or advice on how to perform a data protection audit, contact our team today!