Recently, most of us have received our fair share of newsletters, event invites and software vendor promotions, all stressing the need for GDPR compliance.
Compliance with the new data protection legal framework should definitely be a top priority for all organisations who hold personal data. But contrary to what some of these promotions might imply, you aren’t going to get there simply by attending a conference or buying a piece of software.
At heart, compliance demands two things from you: an understanding of your obligations and a thorough look at your business and processes to see how those obligations apply.
This is where a GDPR audit comes in. Done in the right way, your audit involves putting each area of your business under the spotlight in the context of the new data protection “rulebook”. Through your audit, you can identify precisely what changes you need to make and the whole issue of GDPR compliance becomes far less daunting.
Here’s our guide for getting that audit underway.
The GDPR audit: what’s involved for your organisation?
For some businesses, the buzz surrounding the GDPR might have prompted a serious look at data protection and privacy for the first time. If this is the case, then your audit provides a useful way to get started. It involves systematic examination of your organisation, so all areas of the law are covered.
For those organisations already familiar with the old Data Protection Act, GDPR compliance is likely to be more a case of evolution rather than starting from scratch. That said, as our DPA vs GDPR guide highlights, there are multiple new changes to get to grips with. A full GDPR audit offers an effective way of integrating these changes into your business.
Establish whether the GDPR applies to you
The first step in any compliance audit involves checking the applicability of the law to your organisation. Note that the GDPR applies only to “personal data”. So it’s not concerned with, (for instance), business plans and intellectual property. But it does cover areas such as customer data and HR records. A more detailed definition of “personal data” is available here.
The law applies to the data of EU citizens. It means that even if your organisation is based outside Europe, but you process the details of EU citizens, you will still need to get to grips with GDPR compliance.
Review your personal data estate
This involves establishing what categories of personal data you process, where it comes from, its purpose, how it flows through your organisation and who has access to it. This is data mapping; an integral part of any GDPR audit. You can read more about it in our dedicated data mapping guide.
Establish the scope of applicability: are you a controller or processor?
If you are a controller, i.e. you determine the purposes and means of processing personal data, the vast majority of the GDPR applies to you. For processors, however, (i.e. those who perform a limited role under the instructions of the controller), a more limited scope applies. That said, the GDPR introduces new obligations affecting processors and specific requirements for the necessary agreement between controllers and processors. Our explanation of the differences between controllers and processors can help you determine which parts of the law apply.
Checking “lawful processing” and consent
You must have a “legal basis” for each data processing activity you conduct. Consent is an applicable basis for a lot of businesses; i.e. it is lawful for you to process personal data – but only so far as the data subject has given you consent to do it.
If you are relying on consent, your GDPR audit should ensure you have sufficient consent for each processing activity and that you can demonstrate that consent. However, remember that you need to inform individuals that they can withdraw that consent if they so wish. Our guide to consent provides further information on this.
Notification and transparency obligations
GDPR requires you to notify individuals whose’ data you are processing. It also brings in new requirements on the information that ought to be provided in privacy notices. Your audit should include a review of existing notices to identify any required amendments. It should also include a review of the language in those notices to check you are communicating with data subjects in a clear and transparent way.
Data subject rights
The new law ushers in new and enhanced rights for individuals, including the right to request erasure and rectification of data, the right to object to processing and the right to request transfer of data to another controller (data portability).
Are there mechanisms in place for individuals to exercise these rights? If you receive a subject access request, will you be able to respond to it within the required one month? Your audit should help you establish this.
Data security and reporting
As part of your wider GDPR audit, a data security risk assessment enables you to identify the specific security risks you are faced with, and the “appropriate” measures needed to address those risks.
For the first time, the GDPR introduces mandatory breach reporting. Your audit should, therefore, focus on whether you have the record keeping and reporting tools and procedures necessary to keep on top of this.
Getting help with your audit
From individual rights through to IT security, there’s a lot of ground to cover as part of any GDPR audit.
For many organisations, getting in external help will be a tempting prospect. It may be for instance that an external partner promises to identify and fix everything GDPR-related on your behalf (at a price!).
Be aware, though, that this isn’t always the most cost-effective or efficient way of dealing with the GDPR. For one thing, there may be an inclination on the part of the consultancy to seek out and “fix” issues that could just as easily be dealt with in-house.
The Privacy Compliance Hub
This is where The Privacy Compliance Hub can offer a useful alternative. Through tailor-made templates, documents and a complete methodology guiding you towards compliance, The Hub can help you conduct your audit, allowing you to stay in complete control of the entire process. The Hub ensures that the audit is carried out securely and thoroughly.
To find out more, check out our demo, or contact The Privacy Compliance Hub direct to start your compliance conversation.