How to audit Data Privacy

How to audit Data Privacy

Introduction

Most of us know that data privacy and GDPR are important, but what exactly is it, and what do you need to do to comply as a small or medium sized organisation?  A gap analysis or audit is a good place to start, and in this blog we run through the areas you should cover in this. 

Approach

Your audit focuses in the following areas:

  • Compliance
  • Data subject rights
  • Incident response
  • Policy & Documentation
  • Transparency
  • Capability
  • Governance & Risk

    We’ll run through each in turn, so you know the areas you should focus on.

    Compliance

    Data protection compliance is a mix of legal, operational, and technical skills that most small-to-medium sized business struggle to balance.  In your audit, consider whether you have:

    • Trained employees on their role in maintaining data protection.
    • Appointed a data protection officer, or at least someone to lead your data privacy programme.
    • Arranged for specialist skills such as security and legal support should you need them.

    You may have the best processes and technology, but many aspects of your compliance will rest with having knowledgeable people and the right capabilities available when you need them.

    Capability

    It is also your responsibility to demonstrate you comply with data protection requirements.  You need to have the right evidence to show how you monitor compliance.

    Check how you:

    • Check for compliance with your policy
    • Check suppliers for their compliance.
    • Manage improvements identified from your compliance checking.
    • Report compliance to the Board.

    Compliance testing can be hard work, but it is critical to an effective data protection programme.  Please note that, while information and cyber security are important components of data protection and privacy, they are specialist areas in themselves and so you might want to focus on them in another audit. 

    Data subject rights

    Data subject rights are at the heart of data protection rules and regulations.  Put simply, individuals still have certain rights over the data you process about them.  These rights include the right of access to that data, the right to object to processing, rights to request you erase data and even rights to demand data is provided to a competitor.

    We suggest you think about your business, and initially focus on the rights you are most likely to come across.  Think about and how you fulfil requests from individuals to exercise their rights.  For example, how you:

    • Document procedures to explain how you respond to requests from individuals
    • Log and track of responses, to make sure you stay within the regulatory requirements. And.
    • Review and manage the quality of responses.

    A failure to properly manage requests from data subjects is one of the things people are likely to complain to the regulator about, so it’s important you get the right measures in place here. 

    Incident response

    However much you try to avoid problems, sometimes you will face an issue.  Perhaps your data will be breached somehow, or someone will make a mistake.  Either way, the issue leads to a loss of data, which can be incredibly stressful for the individuals involved.

    Managing incidents is therefore another important part of your data privacy measures.  In fact, many regulators require breaches are reported to them, and you may have a duty to communicate breaches to the individuals whose data you have lost too.

    This section of your audit should consider your preparation for an incident.  This could include:

    • Roles and responsibilities in the event of a breach.
    • Documented procedures.
    • How you have tested your incident response capabilities.

    It’s human nature to assume a breach won’t happen.  However, experience has taught us that it can happen to any organisation.  Time spent preparing for an incident could be the difference between an issue and a crisis.

    Policy & Documentation

    Effective data privacy usually relies on your having some documentation in place.  Check that this documentation covers:

    • What data you process, and why.  If you don’t know what data you process, then it’s difficult to demonstrate you are properly protecting that data.  You’re also expected to have a standing record of why you process the data (your lawful basis for processing), where you get the data from, who you share it with and whether the data is particularly sensitive.
    • The rules you apply to comply with the regulations.  This set of rules is your data protection policy, and it’s the set of standards you monitor compliance with.  The Board signs off these rules – this is their way of saying ‘this is what we want the organisation to do so it is compliant with data protection requirements’.

    Most smaller organisations don’t like documentation.  However, unless you have these two simple components in place, it’s going to be difficult to demonstrate you comply with data protection requirements.

    Transparency

    One of the founding principles of most data protection regulations is that organisations will be transparent with individuals.  This means you may need to disclose where they get data from, why they process it, who they share it with and the how individuals can exercise the rights available to them.

    This requirement is often fulfilled through a Privacy Notice.  This is the document many organisations keep on their website.  It summarises all the information we covered in the ‘Policy & Documentation’ section of this audit in a format that’s easily understood. 

    When reviewing your transparency, consider whether you:

    • Have a privacy notice.
    • Communicate this information to individuals at the right time.
    • Communicate the right information in your privacy notice.

    Transparency requirements are again obvious to individuals and failing to meet them can lead to complaints to the regulator.  As you can see, fulfilling them should be a simple matter of summarising the data and rules you have already documented.

    Governance & Risk

    Governance often refers to how your Board and senior management delegates authority through your organisation and then monitors information to make sure that authority is being exercised within the rules it has defined. 

    Effective risk management is also critical to data protection.  Your Board will set your appetite for risk, but most data protection regulations require you to implement operational processes to actively assess changes in data protection risk from new projects and systems. 

    Look at whether:

    • You report data protection compliance to the Board.
    • You have a documented approach to completing data protection impact assessments on major changes to your business and systems.

    Summary

    We don’t think you should need to be a specialist to perform a basic audit of data privacy.  We also don’t think you should be forced to buy expensive specialists to do this, at least initially.  Look at the materials provided by the Information Commissioner’s Office on their website and consider the areas above.  This will show you what you already have, and where you need to focus to improve. 

    If you want some help, we’ve prepared a summary Data Privacy audit here. This can help point you in the right direction.  Once you know where you need to improve, we can also help you bridge the gap.

     

    Back to blog