GDPR Audit: How to Conduct It Properly?

The General Data Protection Regulation (GDPR), which became the Data Protection Act (DPA) 2018 in the United Kingdom, did introduce quite a number of obligations to organisations that control or process personal data for the citizens. The same law introduced heavy penalties for any organisation that failed to comply. But the question we might ask is, how can you tell whether your organisation is being compliant or not? Or, what is your compliance level? Well, a data protection audit, or GDPR audit, will give you an idea of whether the policies, controls, and procedures you’ve put in place meet the GDPR and DPA 2018 requirements. The audit also enables you to pick out areas that you can improve to guarantee full compliance. In this guide, we will take a deeper look at the GDPR audit to understand how it can be conducted, and basically what you need to know for a successful audit. First off:

Table of Contents

Before any organisation commits to conducting a GDPR audit, they may want to know how they stand to benefit from the exercise. If you are setting aside the resources, you have to understand what you will be getting in return. Now, when you audit your organisation’s GDPR compliance:

You help in raising awareness for data protection, which is of great essence.
You are able to pick out any vulnerabilities in the organisation’s network that could otherwise put your customer’s personal data in jeopardy.
You are able to tell the level of your GDPR compliance and hence avoid heavy penalties.
You will also be able to know areas you can improve on going into the future.
It gives you an opportunity to document the management’s commitment towards understanding and recognising the importance of data protection.

Other benefits include:

Safeguarding and ensuring that only the appropriate and adequate policies, as well as procedures, are in place.
Any form of data breach or even potential cyber threat is detected early enough and taken care of on time for compliance.
The organisation is able to assess the effectiveness and adequacy of the internal compliance programs.
Any changes needed on the controls, policies, and procedures are able to be recommended and implemented.

Any organisation that handles the personal data of EU citizens, whether it’s in or outside the EU, is required to carry out regular GDPR compliance audits. Since it came into effect in 2018, the GDPR law necessitated the need for regular internal audits so as to keep updated on the level of compliance. Now, the very first step towards a proper audit is to establish whether the GDPR law applies to your organisation. You need to check the applicability of the GDPR law to your company, keeping in mind that it only applies to personal data, which will definitely include the human resources records, as well as customers’ data. Also, the GDPR law only applies to EU citizens, regardless of whether they are in Europe or abroad. Basically, even if your company is based outside the EU, as long as you are processing data for the EU citizens, you still need to get to grips with the GDPR compliance. Once that is confirmed, you will need to come up with a GDPR audit plan. This includes creating a checklist that would be your guide throughout the audit process, as it informs you what needs to be covered in the audit.

Create an audit checklist

Then you will need to create a checklist of everything that you need to cover in the actual audit. These areas include:

Governance – the GDPR laws stated that data must be processed under seven principles, namely:

Lawfulness, fairness, and transparency
Data minimisation
Purpose limitation
Accuracy
Integrity and confidentiality
Storage limitation
Accountability

All these principles are underpinned by the principle of accountability, which is why any data controller is required to maintain records to demonstrate compliance. Having said that, a compliance audit ought to consider the extent to which the data protection accountability, policies, and procedures, responsibility, measurement controls, as well as reporting mechanisms are operating in your company.

Risk management – the new GDPR laws do give organisations a mandate to take risk-based approaches when implementing appropriate organisational and technical measures. One of these approaches is to conduct data protection impact assessments (DPIAs), which is a form of risk assessment strategy that helps to identify any risks and likely effects of processing of personal data. Now, by conducting a GDPR audit, you should be able to determine a number of issues, including examining the privacy risks included in the organisation’s risk register, the privacy risk management arrangement in place, the extent to which the information-specific risks are incorporated into the company’s risk regime, and finally, what risks of natural persons’ rights and freedoms are addressed.

GDPR project – here is the thing, support from the board is crucial if the compliance project is to go on smoothly. GDPR compliance requires a lot of effort from the very top management to the employees themselves. Having said that, the GDPR audit is crucial in that it should examine the extent to which the GDPR project – that’s properly staffed, supported and funded – is both in place and capable of delivering effective and realistic objectives.

DPO (data protection officer) – based on the new GDPR law, an appointment of a DPO is a requirement, especially:

Where the processing is done by a public body or authority
Where the company’s core activities require large-scale regular and systematic monitoring of the data subjects.
Where large processing is involved, especially super sensitive personal data or any data relating to criminal investigations.

As a matter of fact, irrespective of the legal requirement to do so, it is very much recommended that a company appoints a DPO. With that, the GDPR audit needs to first establish whether the DPO is mandatory or appointed. Also, if the DPO is present, then the audit should be aimed at examining whether his or her role is appropriately positioned and if the said individual has the capability of delivering based on the GDPR requirements.

Roles and responsibilities – the other thing that a GDPR audit ought to consider is the extent to which the roles and responsibilities are defined and established throughout the company. What’s more, it should focus on the training and awareness measures already in place, as well as the records that show their deployment and effectiveness, not to forget the on-boarding and off-boarding processes.

Scope of compliance – for full GDPR compliance, it is important to ensure that the scope of compliance is defined clearly. Basically, it needs to take into account the data processing in which the company has a role, whether a data processor or data controller or essentially any data sharing activity. Also, be sure to identify all the databases with the personal data, processing activities, as well as cross-border processing. So, a GDPR audit needs to examine all these activities carefully.

Process analysis – under article 30 in the new GDPR law, data controllers are required to maintain the records every time they process personal data. As such, these records can be many. Now, a GDPR audit will be necessary so as to examine these records and determine how, or to what extent, the data processing principles were applied in each process, paying extra attention to the lawful bases for data processing. Also, the audit needs to focus on any processes for which a DPIA is mandatory, and also where the DPIA might, either by default or by design, help in establishing data protection.

Personal information management system (PIMS) – when it comes to demonstrating GDPR compliance, there are quite a number of documentation that will be needed, including data protection policy, DPIAs, consent forms, data breach notification procedure, as well as subject access requests forms and procedures. Now, the scale of documentation should be reflective of the size and complexity of your organisation. Having said that, a PIMS then orders the documentation appropriately and also relooks at staff awareness training. Therefore, the GDPR audit needs to determine whether PIMS requirements do align with GDPR compliance requirements.

Data subjects’ rights – the rights of the data subjects are very crucial. As a matter of fact, giving the data subjects more rights and power over their personal data was the real aim of the new GDPR law. These rights include the following:

The right of access to their data
The right to be informed
The right to rectify the data if need be
The right to erase any unwanted data
The right to restrict data processing
The right to object
The right to data portability
Rights with regards to automated decision-making as well as profiling.

The GDPR audit needs to figure out the extent to which the organisation has implemented processes that not only facilitates but also respond to data subjects exercising their rights.

The other thing would be for the GDPR audit team to prioritise those areas that they consider to be out of compliance, which will be based on the risk level. And when working towards remediation, you need to take a risk-based approach. For instance, you may find a company that has committed to focusing on breaches as well as its ability to facilitate access requests from the data subjects. If after the audit you find that your company does lack in this area, we recommend that you fix it promptly. And that goes for every item included on your checklist. When determining risks, some of the factors that would help in their identification include the probability of occurrence, business impact in case of infringement, and misalignment level with regulation. Be sure to prioritise the high-risk areas. And remember, it is highly unlikely that any gaps present will be remediated by one individual, which is why it is important the company tasks the job to a team of qualified audit professionals.

Test the remediation efforts

Once the audit team identifies the compliance gaps and decides to remediate them, it’s crucial for the company to ensure that its systems and processes are up to the task and that they meet GDPR requirements. And how do you do that? Well, you will need to test and re-test all the controls that the company has put in place so as to make sure that issues or gaps are fixed. Once that’s done, they will then be audited in order to ensure that all the GDPR requirements have been met.

GDPR compliance is, of course, a continuous process, and that means that regular audits are crucial to make sure that the privacy and compliance programs are performing as expected. And in fulfilment of the accountability principle, there is need to implement continuous monitoring and enforcement of the compliance programs in order to guarantee maximum effectiveness in meeting GDPR requirements.

Getting the help that you need

Here is the thing, GDPR audits can’t be done by just about anyone, it requires a skilled expert. Now, there are those company owners who prefer getting external auditors to help with their GDPR audits, other than having internal auditors. However, whatever plan you may adopt, make sure that it’s able to improve the company’s posture, especially when it comes to GDPR audit.

Conclusion

Compliance with the new GDPR law is extremely important, otherwise, your organisation might be heavily penalised. Therefore, GDPR compliance is not something that should be taken lightly. It’s an essential step for any organisation wishing to stay compliant with the law and protect their customers from potential breaches of data protection rights in the future. We can help you conduct a GDPR audit so that you are fully up-to-date on your obligations as well as how to go about meeting them. For more information please contact our team today.