Step 2: Identify what data you hold and where that data came from
You will need to know what personal data you hold and where it came from. This means all personal data including employees (where relevant) and clients. This should be documented and you must keep records of your different types of processing activity (ie, how you record, store and share personal data for categories of individuals, eg, clients and employees) You should also record if you share data with any third parties, for example GP’s, testing laboratories and supplement companies. The ICO has produced a spreadsheet template that covers all this. It includes:
- All types of personal data and special category data (eg, health and employment records) held
- Associated processing activities
- Privacy notices
- Access requests
- Data breaches
Click here for the full eblast.