EXAMPLE Personal Data Analysis Form

Page 1

Please note: This sample only shows part of the Example Personal Data Analysis Form

DATE COMPLETED:

Personal Data Analysis Form

[Enter date here] A. N. Other

PROJECT OR BUSI...

GDPR-FORM-03-2

REF PROJECT OR PERSONAL BUSINESS PROCESS DATA ITEM

DESCRIPTION

SPECIAL CATEGORY ARTICLE 9(2) EXCEPTION OBTAINED OF PERSONAL DATA? USED (SPECIAL FROM DATA CATEGORY DATA ONLY) SUBJECT? The name of the customer; No Not applicable Yes sometimes different to the name of the person receiving support

OWNER

OWNER

LAWFUL BASIS O...

Credit card details

Managing Director

Consent

Human Resources

Customer address

Product Manager

Contractual

LinkedIn Connections

Customer email ad...

Sales and Marketing M...

EU law

Newsletter

Customer IP address

Post-sale review re...

Customer name

PROCESSING PURPOSE LAWFUL BASIS OF PROCESSING Sales records and Contractual ongoing support

IF CONSENT- BASED, AUTOMATED LEVEL OF DATA LOCATION STORED COUNTRY RETENTION HOW IS CONSENT DECISIONSUBJECT STORED IN PERIOD OBTAINED? MAKING? ACCESS Not applicable No Accessed via Web server Germany 7 years portal Sales spreadsheet on File Sharing Website

ENCRYPTION ACCESS LEVEL CONTROLS None

2FA

THIRD COMMENTS PARTIES SHARED WITH None

Germany 7 years

None

2FA

None

Germany 7 years

None

2FA

None

Not Known 7 years

At rest

2FA

None

Germany 7 years

None

2FA

None

Germany 7 years

None

2FA

None

Not Known

2FA

Reviews Website

1 Website sale

Customer name

2 Website sale

Customer Email address of the email address customer; usually a business email but often a gmail or hotmail account Customer Phone number, usually telephone business but could be number personal Credit card Number, expiry and CVC of details customer's credit card

No

Not applicable

Yes

Sales and Marketing Manager

Sales records and ongoing support

Contractual

Not applicable

No

Accessed via portal

No

Not applicable

Yes

No

None

Not applicable

Yes

Backup contact if email Contractual doesn't work - do we need this? Sale - details are not Contractual kept by us.

Not applicable

No

Not applicable

No

None

5 Website sale

Customer address

Physical address including street, city, county, zip and country

No

Not applicable

Yes

Sales and Marketing Manager Sales and Marketing Manager Sales and Marketing Manager

Sales approval via Contractual credit card; tax records; VAT charging

Not applicable

No

6 Website sale

Customer IP address IP address of the purchaser at the time of purchase

No

Not applicable

Yes

Sales and Marketing Manager

Evidence of location for tax purposes

Not applicable

No

Can be Web server amended but not viewed via portal None Web server

7 Post-sale review requests

Customer Name and email address name and of the customer; usually a email address business email but often a gmail or hotmail account Customer Name and email address name and of the customer; usually a email address business email but often a gmail or hotmail account Customer May be different to the name and purchaser email address

No

Not applicable

Yes

Sales and Marketing Manager

Post-sales marketing Consent of additional products

Not obtained

No

None

Reviews Website

No

Not applicable

Yes

Sales and Marketing Manager

Post-sales marketing Consent of additional products

Customer explictly signs up for the newsletter

No

Unsubscribe available at any time

Web server

Germany 7 years

None

2FA

None

No

Not applicable

Yes

Product Manager

Communication that an Contractual update is available

Not applicable

No

Accessed via portal

Web server

Germany 7 years

None

2FA

None

Customer name and email address

No

Not applicable

Yes

Product Manager

Post-sale and annual feedback survey issues and improvements

Not obtained

No

None

Mailing Website

Not Known

2FA

Mailing Website

3 Website sale

4 Website sale

8 Newsletter

9 Provision of product updates

10 Feedback survey requests

Sales and Marketing Manager

PERSONAL DATA ...

Feedback survey re...

EU law

Consent

Web server Sales spreadsheet on File Sharing Website Web server

Payment Processor

Not Known 7 years

Not Known 7 years

May not be genuine IP address if proxy server is being used.


Actions The following actions have been identified from the Personal Data Analysis Form: REF DATE RAISED

ASSESSMENT REF ACTION

WHO

BY WHEN

1

dd/mm/yyyy

3

ANO

dd/mm/yyyy

Open

2

dd/mm/yyyy

4

ANO

dd/mm/yyyy

Open

3

dd/mm/yyyy

7,10

ANO

dd/mm/yyyy

Open

4

dd/mm/yyyy

7

ANO

dd/mm/yyyy

Open

5

dd/mm/yyyy

10

ANO

dd/mm/yyyy

Open

6

dd/mm/yyyy

11

ANO

dd/mm/yyyy

Open

7

dd/mm/yyyy

15

ANO

dd/mm/yyyy

Open

Decide if telephone number is required to be captured Find out where Payment Processor stores its data Obtain consent for post-sale review requests and feedback survey requests Find out where Reviews Website stores its data and whether its encrypted Find out where Mailing Website stores its data and whether its encrypted Find out where File Sharing Website stores its data Ask Payroll Bureau about the controls they have in place, including any certifications

NARRATIVE

STATUS