Establish whether the GDPR applies to you
The first step in any compliance audit involves checking the applicability of the law to your organisation. Note that the GDPR applies only to “personal data”. So it’s not concerned with, (for instance), business plans and intellectual property. But it does cover areas such as customer data and HR records. A more detailed definition of “personal data” is available here.
The law applies to the personal data of EU citizens. It means that even if your organisation is based outside Europe, but you process the personal data of EU citizens, you will still need to get to grips with GDPR compliance.
Train your people
If you don’t train your people on a regular basis you are not complying with the GDPR. You need to make people understand why data protection is important. If they understand, they will care about the personal data they handle. And if they are taking care then they are less likely to be the cause of a data breach. You need to bear in mind that 90% of data breaches are caused by human error. You can find out more about GDPR training here.
Review your personal data estate
This involves establishing what categories of personal data you process, where it comes from, its purpose, how it flows through your organisation and who has access to it. This is data mapping; an integral part of any GDPR audit. You can read more about it in our dedicated data mapping guide. Remember you need to then convert these data maps into a Record of Processing Activities. See how we did it here.
Establish the scope of applicability: are you a controller, a processor or a joint controller?
If you are a controller, i.e. you determine the purposes and means of processing personal data, the vast majority of the GDPR applies to you. For processors, however, (i.e. those who perform a limited role under the instructions of the controller), a more limited scope applies. That said, the GDPR introduces new obligations affecting processors and specific requirements for the necessary agreement between controllers and processors. Our explanation of the differences between controllers and processors can help you determine which parts of the law apply.
Consider whether you need a data protection officer (DPO)
All organisations need a person responsible for data protection. It is part of what is called the ‘accountability principle’. However, not all organisations need a formal data protection officer (DPO). We have written about this in more detail here.
Checking “lawful processing” and consent
You must have a “legal basis” for each data processing activity you conduct. Consent is an applicable basis for a lot of businesses; i.e. it is lawful for you to process personal data – but only so far as the data subject has given you consent to do it.
If you are relying on consent, your GDPR audit should ensure you have sufficient consent for each processing activity and that you can demonstrate that consent. However, remember that you need to inform individuals that they can withdraw that consent if they so wish. Our guide to consent provides further information on this.
Notification and transparency obligations
GDPR requires you to notify individuals whose data you are processing. It also includes requirements relating to the information that ought to be provided in privacy notices. Your audit should include a review of existing notices to identify any required amendments. It should also include a review of the language in those notices to check you are communicating with data subjects in a clear and transparent way. We have written about how we wrote our own privacy notice.
A lot of breaches occur when personal data is shared and the organisation with which it is shared does not look after it adequately. That is why any data compliance audit needs to involve a discovery process so that you know who personal data has been shared with and then an investigatory process to assess whether they are looking after such data in accordance with the GDPR and industry standards taking into account the nature of that personal data.
Data subject rights
The GDPR brought in new and enhanced rights for individuals, including the right to request erasure and rectification of data, the right to object to processing and the right to request transfer of data to another controller (data portability).
Do you have mechanisms in place for individuals to exercise these rights? If you receive a subject access request, will you be able to respond to it within the required one month? Your audit should help you establish this. If you would like a little more detail on this, check out an article we wrote on the topic.
Data security and breach management
As part of your wider GDPR audit, a data security risk assessment enables you to identify the specific security risks you are faced with, and the “appropriate” measures needed to address those risks.
For the first time, the GDPR introduced mandatory breach reporting. Your audit should, therefore, focus on whether you have the record keeping and reporting tools and procedures necessary to keep on top of this. This is just one of the things that the Privacy Compliance Hub helps you with. We have written an article about when and how to notify a data breach.
DPIAs (Data Protection Impact Assessments) and the importance of privacy by design
Data Protection Impact Assessments are at the heart of privacy by design. Your organisation should build privacy by design into everything it does. If the people in your organisation don’t know when and how to use DPIAs, don’t build them into your processes, don’t review them and don’t know where to store them, they you have some work to do.
Getting help with your audit
From individual rights through to IT security, there’s a lot of ground to cover as part of any GDPR audit.
For many organisations, getting in external help will be a tempting prospect. It may be for instance that an external partner promises to identify and fix everything GDPR-related on your behalf (at a price!).
Be aware, though, that this isn’t always the most cost-effective or efficient way of dealing with the GDPR. For one thing, there may be an inclination on the part of the consultancy to seek out and “fix” issues that could just as easily be dealt with in-house.
The Privacy Compliance Hub
This is where The Privacy Compliance Hub offers a useful alternative. Through tailor-made templates, engaging information resources, online training and an automated route map guiding you towards compliance, the Hub acts as your audit. In short, it shows you what to do, it gives you everything you need to do it and it enables you to demonstrate your compliance, all in one secure, structured and beautiful place.
To find out more, contact the Privacy Compliance Hub to start your compliance conversation.