T-00003 - where is data stored?
IT department required
1. Current applications – list application which store personal data, eg. Finance system, CRM, HR system etc.
2. Data processing document – How do you process data, do you have any 3rd party applications who process data for you (do you have any cloud based solutions storing personal data?), how do you back up data, where are they stored?
3. Data control – How do you control access to personal data? Eg. Locked filing cabinet, who has access to the key? Login access to computer systems containing personal data, who determines who has access, how is it given. Attach new starter forms or any other employee policies relating to system access.
4. Data protection – How do you prevent loss of personal data, for electronic data this might be encryption of emails, databases, password protecting spreadsheets, firewall software. For paper data this may be who has access to locked cabinets, how you dispose of documents no longer needed via shredding etc.
5. Physical storage checks – Who spot checks for missing documents, where are they physically stored, who has access? Possibly attach a clean desk policy if your business has one, stopping employees taking documents out of the business.
6. Data storage policies - For electronic data, how is it stored, do you have a specific policy for storing types of data, noting what personal data employees can store on personal or business devices / memory sticks etc. Attach your data processing policy as well.
7. Data accessible devices - also include a Bring Your Own Devices policy. Note whether personal devices have access to personal data or not. If it is business devices only, what type are they, eg. Laptops, mobile phones.
8. Data encryption – devices with access to business personal data – what type of encryption is available? Is it emails going out from the device, databases stored on the device?
9. Personal devices - include a Bring Your Own Devices policy (available in the policy templates section). If they are allowed on the business network and store personal data have they been checked by the IT department for adequate security?