We're nearly a year since the frantic preparations for GDPR. How is it all going? Should we be checking? Should we audit?
Why do I need to complete an audit?
An audit allows an Organisation to understand whether it is complying with the requirements of the Data Protection Act 2018, GDPR and PECR. Art 5(2) of GDPR states that “The Controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 [the principles]”. This is often referred to as the ‘accountability’ principle - completing and audit will allow an organisation to demonstrate accountability with the principles.
If the worst happens, and your organisation does suffer a data breach, the ability to demonstrate that you have completed regular audits and reviews of your data protection arrangements may assist in mitigating against a GDPR fine.
Data protection compliance is an ever evolving journey and not a destination. Audits allow organisations to assess any gaps in compliance and any improvements that can be made.
Initial Audit/GAP Analysis
If you haven’t already completed one, its a good idea to start with a full audit/GAP Analysis to benchmark the current level of compliance within your organisation. This audit will then form the basis of any improvements.
You should consider:
Do you have the relevant policies and procedures?
Have you completed a data audit, clearly documenting what personal data you process and the legal basis for processing it? Do you have up to date data flow maps showing how data moves through your organisation?
Do you have a process for dealing with data subject requests within one month?
Do you have a process for dealing with data breaches and incidents?
Have you updated your contracts of employments and issued a privacy notice to all employees detailing how their data will be processed?
Do you have contracts in place with anyone who processes data on your behalf?
Do you have training scheduled or already completed?
Do you have a culture of privacy by design and default including a DPIA process?
Annual Compliance Audit
Once you have completed the work identified in your initial audit, the annual audit should be a much shorter exercise. The aim of this exercise is to test your process and controls to provide assurance that your organisations policies are being followed and to identify any improvements that can be made.
For an annual audit you should consider:
Are your policies and procedures up to date? Do they reflect any process changes which have taken place?
Refresh your data audit – are your data flow maps up to date?
Is your Data Retention Policy being followed – ask IT to check whether you are holding data that should have been deleted?
Are data subject requests being responded to within one month?
Are data subject complaints being responded to promptly?
Is training up to date?
Is there a good level of employee awareness?
Do you have contracts in place with all your data processors?
Report to the Board
Following the annual audit, you may want to complete a report to the Board detailing the findings together with MI on the number of data subject requests, data related complaints, breaches, incidents and any contact with the ICO.
How can Teal Compliance help?
Our Teal experts can help you with any aspect of data protection compliance, from carrying out a gap analysis, assisting you with a data audit or creation of policies/procedures to carrying out an independent annual audit. This can be done as a stand alone piece of work or as part of our DPO support service. Contact us at firstname.lastname@example.org