GDPR Data Flow Audit

Almost all organisations will come in to contact with some element of personal data and therefore need to comply with data protection legislation such as GDPR.

A Data Flow Audit will look at both business processes and IT systems to discover, understand and map how Personal Identifiable Information moves through your Organisation.

While this exercise alone will not meet all requirements of data protection legislation, it is a great first step to enable effective information governance.

A data flow audit will look at the following areas:


Identify How PII Enters your Organisation.

Personal Information may be captured at various points in your organisation, the first step is to identify where and how this happens.

Data capture can leave a footprint in your organisation, for example on a website, in email notifications and back ups, so we’ll include these systems within scope.

Identify How PII is Processed in your Organisation.

Once captured, personal information should be used only for lawful purposes. We’ll identify how you use the data you capture.

Identify How PII Moves Between Processes & Systems.

Data may be used by more than one part of your organisation, so our data flow audit will identify where PII moves internally in your organisation.

Identify where PII Leaves your Organisation.

It may be necessary to transfer the PII you collect to a third party for processing. While our data flow audit will identify where this happens, you should also ensure this is done lawfully.

Identify when PII is Erased from your Organisation.

At the end of the data life cycle we’ll identify when and how data is erased; and consider the footprints left throughout the organisation.

What Next?

After a data flow audit, you should consider policies, procedures and controls you have in place to comply with applicable legislation. Our Data Protection Audit is a natural next step and will guide you through the Six Privacy Principles.

Six Privacy Principles

The General Data Protection Regulations provide Six Privacy Principles and meeting these involves a combination view of how you use personal information.

Benefits of a Quality Management System ISO 9001

If you have implemented a quality management system, such as ISO 9001, often your business processes have already been evaluated and our auditors can use this to identify activities involving PII.

Find out more about ISO 9001.

[hoops name=”serviceBoxOpenInSameWindow”]