According to a report from the Irish Data Protection Commissioner, “data controllers” should “regularly audit their holdings of personal data and the procedures they have in place to protect this data.”

For example, they should ask what types of personal data they hold:

  • “electronically (including less obvious data such as CCTV images)?”
  • “on paper?”
  • “Can we justify the collection of this information?”
  • “Why do we collect it?”
  • “What it is used for?”
  • “What are the risks?”
  • “How long do we hold it?”
  • “Who has access to it?”
  • “To whom do we disclose it?”
  • “Where will the data be stored?”
  • “Is it held securely?”
  • “How we dispose of the personal data?”
  • “If we outsource processing of personal data to a data processor (including a 'cloud computing' service provider), are we satisfied that their security procedures are adequate?”

The report also delves into applicable law and provides guidance for data collection, retention, access and security policies, including a lot of technical IT security details.

While insights companies and organizations operating in or dealing with Ireland and the EU would find it most relevant, anyone on the technical side of data security might find the report’s recommendations useful.