The United Kingdom General Data Protection Regulation (UK GDPR) is an important instrument that obliges companies to protect personal data – e.g., data about customers, their own employees and applicants – and how to handle it appropriately. The UK GDPR also obliges companies to regularly check whether they comply with the standards set by the regulation, look for any potential risks to the data, and find out how these risks can be reduced. The first step towards UK GDPR conformity is a data privacy audit, commonly known as a GDPR audit.
When complying with GDPR, businesses must have a clear purpose for collecting personal data and should implement security measures to protect personal data from being breached or misused. This includes disclosing any security incidents involving this data.
If you are running a business in the UK (or planning to) and your company processes personal data of citizens in the EU, you must be completely compliant with GDPR. This is where your GDPR audit will come in.
In this article, you will find out what the audit entails, who can carry one out and how much it costs.
What you need to know, in a nutshell
- A data privacy audit should answer the most important questions to determine a company’s needs and offer support in implementing data protection standards.
- If the auditor spots data protection shortcomings, he or she will provide recommendations on how to rectify them.
- A data privacy audit generally costs between 1,000 and 3,000 euros or approximately £900 and £2,700 for a small or medium-sized enterprise (SME, up to 150 employees) and is part of the support package provided by an external data protection officer. For larger companies, the costs could be significantly higher, depending on the requirements and their complexity.
In this article
- Basic GDPR terminology that you need to understand
- What is a data privacy audit?
- What are the benefits of a data privacy audit?
- How is a data privacy audit conducted?
- Key areas GDPR covers in data protection
- Does your business need a GDPR audit?
- Why do you need to conduct a GDPR audit
- Who can carry out data privacy audits?
- Is a GDPR audit a legal requirement?
- How much does a data privacy audit cost?
- How can the data protection audit findings be implemented?
- What is a data breach and what can happen if my business has a data breach?
- When do I need to contact the ICO?
- GDPR audit checklist
Basic GDPR terminology you need to understand
In order to understand how a GDPR audit can help, here are some essential GDPR terms, their definitions, and abbreviations to keep in mind.
- Personal data: Personal data includes any information about a living person who can be identified. Personal data is made up of several pieces of information that, when put together, can be used to identify a specific person.
- Sensitive personal data: Special kinds of personal data, known as sensitive personal data, are subject to additional safeguards. In general, organisations must have more compelling reasons to process Sensitive Personal Data than they do with "ordinary" personal data.
- Anonymous Data: Some data sets can be changed in such a way that no persons can be recognized (directly or indirectly) from them by any means or by any person. It is a technically hard process to ensure that individuals cannot be identified.
- Pseudonymous data: Pseudonymisation might involve using a reference number to replace names or other identifiers that are easily linked to individuals.
- Data processing: Implies any activity or series of operations carried out on personal data or sets of personal data, whether or not through automated methods.
- Controller: The natural or legal person, public authority, agency, or other organisation that, alone or in collaboration with others, determines the objectives and procedures of personal data processing.
What is a data privacy audit?
A data privacy audit is an examination of whether, or to what extent, a company is implementing the UK GDPR standards (applicable since May 2018), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations provisions (UK Data Protection Legislation). The auditor analyses the company’s compliance with the UK’s Data Protection Legislation and compares this status quo with the legal requirements, providing recommendations on how the company and its departments can become compliant.
With a data privacy audit, you can pinpoint exactly what adjustments you need to make as a result of your audit, making GDPR compliance easier.
What are the benefits of a data privacy audit?
An audit is necessary in order to evaluate the current data protection level within a company and define specific measures to achieve legally mandated data protection conformity. In other words, a data privacy audit directly detects shortcomings in data protection, rectifies them and therefore ensures that a company is legally on the right track. Not only does it prevent the loss of customers and some hefty fines, but it also helps improve the company’s competitive edge.
How is a data privacy audit conducted?
A proper data privacy audit has four stages:
1. Analysing the current situation
To start, the processes in all departments are examined to see how they handle personal data. This includes the industry-specific core processes, and the secondary business processes in the HR, finance, purchasing, sales and IT departments are also examined. Ideally, the auditor will work through a prepared questionnaire with the company; this questionnaire could consist of several hundred questions.
For every core and secondary process, the origin, as well as the further use and storage/erasure of personal data are queried. A good auditor will go into as much detail as possible and ask specific questions that you and your company will be able to answer, even without comprehensive data protection knowledge.
Here is an example: In the HR department, the auditor looks at whether application documents such as CVs really are erased or destroyed after the end of the application process. After all, regardless of whether the applicant is hired or not, the application documents are only relevant to the application process. Further storage, e.g., for positions that become vacant later, require the explicit consent of the applicant. Whether these rules are followed sufficiently is shown by targeted questions in the data privacy audit.
2. Specification of recommended actions
Almost all data privacy audits uncover data protection shortcomings. In these cases, the auditor will work with the company to develop recommendations on how to rectify these shortcomings. In the case of application documents, the recommendation could be that the data be erased after a few months, if the applicant has not given consent to be included in the applicant pool.
3. Implement recommendations and monitor implementation
Most measures cannot be implemented immediately. Therefore, in the next step, the data protection officer must check that their recommendations have been implemented within an appropriate timeframe. In practice, this task can be very challenging for data protection officers, especially at international corporations with subsidiaries. Therefore, a tech-minded and well-organised data protection officer will have an automated project management system that illustrates the progress in detail, including progress made by the subsidiaries.
4. Creation of the legally required data protection documentation
All processes in which personal data is processed must be documented. The data protection officer will meticulously ensure that the documentation reflects the processes once the company has become legally compliant.
With more than 100 processes and sometimes several subsidiaries, “manual labour” is completely futile. You can tell that a data protection officer is good when they use automated tools that automatically track the prepared documentation.
Key areas GDPR covers in data protection
The GDPR updated privacy standards, enabling businesses to modernise their operations and even redesign their product designs, services, and branding. Review the GDPR's 7 essential regulations to update your knowledge of their goals and make sure your personal data processing methods are in line with them.
- Lawfulness, fairness and transparency: Organisations must ensure that their data-gathering techniques do not violate the law and that nothing is hidden from data subjects.
- Purpose limitation: Organisations should only gather personal data for a specified purpose, explain that purpose clearly, and only collect data for as long as that purpose requires.
- Data Minimization: Organisations must only process the personal data necessary to accomplish their processing goals.
- Storage Limitation: Due to storage constraints, businesses must erase personal data when it is no longer required.
- Confidentiality and integrity: Personal data must be processed in a way that ensures the data's proper security, including protection against unauthorised or unlawful processing, as well as accidental loss, deletion, or damage, using appropriate technical or organisational methods.
- Accountability: Organisations must have the proper documentation in place to demonstrate that they are complying with the GDPR law.
Does your business need a GDPR audit?
If your company wants to comply with GDPR rules and regulations, you will need to conduct a thorough privacy audit. A data audit is the most effective method for a company to prove GDPR compliance.
Check if you are a processor or a controller. The majority of the GDPR applies to you if you are a controller, meaning you set the objectives and means of processing personal data. A more limited scope applies to processors that execute a limited duty under the orders of the controller.
Why do you need to conduct a GDPR audit?
GDPR compliance is required for every business that collects, maintains, or processes personal data of European Union citizens, including businesses in the UK. Even though your company may be located anywhere in the world, you still must comply with the GDPR regulation if you work with the personal data of European and UK citizens.
The determination of what data a company holds is a critical first step toward GDPR compliance. Therefore, running a data audit on the information your company holds will give you answers to the following questions:
- Why are you gathering personal information?
List the purposes for which you collect and retain this data. For example, marketing, service improvements, product development, human resources, systems maintenance, etc. Consider what you do with the data? Do you use it at all? Do you need it? Can you show what you use it for? Establish the exact purpose and the lawful basis for processing personal data (e.g. consent, contract, legal obligation, etc).
- What kind of personal information are you gathering?
List the categories of data subjects and any personal data you collect. For example, current employee data, past employee data, customer data, marketing database, CCTV footage, etc. Segment this data by type, eg people's names, addresses, purchasing history, online browsing history, images etc. Determine if you hold just personal data, or does some of it fall under the category of sensitive personal information? Do you collect and process children's data?
- How did you collect this data?
- How do you store it?
Document where you store EU citizens' personal information. "Where" refers to both a physical location and the type of storage mechanism you are utilising, such as documents, databases, backups, email lists, and so on.
- What do you do with this data?
Every piece of personal information you collect should be used for a specific purpose. You should also be able to describe that goal at the time of collecting if possible.
- Who owns and controls the data?
Document who has access to the data you store internally and externally. You must also specify whether you are a controller or a processor of the data and if you are a processor, what safeguards do you have in place?
- How long do you keep the data for?
The maximum amount of time an organisation should preserve data is not specific, like so many other aspects of the GDPR. The EU simply states that data should be kept "no longer than required."
- What do you need to do to make your data processing GDPR compliant?
List actions that you should take to ensure your processing is compliant with the legislation. For example, you may need to delete data that has exceeded your retention period or data you have collected unlawfully.
In summary, conducting a GDPR audit helps:
- Confirm that proper data protection procedures are followed.
- Look for flaws in the system that could lead to a data leak
- Internal controls are evaluated
- All policies, principles, and procedures that have been validated should be monitored.
- Ensuring that all policies are followed
- Changes in regulations, controls, and the IT sector should be made where necessary
- Help in raising data protection awareness
- Help in identifying vulnerabilities in a company's network that could jeopardise consumers' personal information
- To prevent strict penalties, assist in assessing the organisation's GDPR compliance.
- Share your knowledge to help with future training and upgrades
- Document management's commitment to understanding and appreciating the need of data security
To conduct an audit, ask yourself the above-mentioned key questions about the data your company has and keep track of your results. Putting all of this information into a spreadsheet or a Word document may be beneficial to your company.
Who can carry out data privacy audits?
Individuals with appropriate professional qualification and a specialist educational background can carry out data privacy audits. These are generally data protection officers, data protection coordinators and IT security officers, who can show additional qualifications.
Generally speaking, data privacy audits can be carried out by both in-house staff and external service providers. External auditors have the advantage that they are not “professionally blinkered”, and with their outsider perspectives, they often provide more objective findings that are in line with the industry standards.
Ideally, external auditors already have tried-and-tested industry-specific questionnaires and process documents. If a specialist company is entrusted with an organisation’s data protection, the organisation will also benefit from the knowledge of an entire team and can consult experts, for instance, in the event of any specific IT questions.
Is a GDPR audit a legal requirement?
No, the GDPR does not require a business to do a data audit. However, the only way to tell if your company is compliant is to conduct an audit. You must have legal justifications for accessing and storing personal data, and you must do so legally. An audit will assist you in evaluating and improving your GDPR processes.
How much does a data privacy audit cost?
How can the data privacy audit findings be implemented?
In order to implement the findings of a data protection audit in practice, companies should observe the following points:
- Data privacy is a topic that the whole company needs to get behind. Each department should be informed in detail about how data protection is implemented in practice. The data protection officer remains in close contact with the departments in order to advise them and answer questions.
- The data protection officer and their team require legal expertise, knowledge in the practical implementation of data protection in processes, IT skills and project management experience.
- Another vital component is utilising an automated project management tool that can provide information about the status quo when it comes to the company’s data protection at the touch of a button. Data protection officers can also use it to create their obligatory reports for executive management. It also helps them schedule and direct the implementation of measures within the individual departments.
What is a data breach and what can happen if my business has a data breach?
Data breaches in businesses can have major consequences. businesses lose credit card numbers and other sensitive client information when they fall victim to phishing, spyware, or ransomware attacks, and they also lose customer trust.
Data breaches can be far more than a passing fright; they have the potential to alter the trajectory of a customer's life. When sensitive information is revealed, it can cause major problems for businesses, governments, and individuals. Hackers can access you via the internet, Bluetooth, text messages, or the online services you use, whether you are offline or online.
When do I need to contact the ICO?
The ICO (Information Commissioner's Office) is The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
If a breach occurs that is likely to result in a potential risk to the rights of the individual(s) whose data has been breached, the ICO should be notified.
Businesses should examine the types of security breaches they may encounter, as well as the potential dangers to persons (financial loss, discrimination, and so on) that those breaches may entail.
- You would have to supply the ICO with the following information:
- The type of breach, how it happened, and how many people are likely to be affected are all factors to consider.
- What are the possible repercussions of the breach?
- What steps are you taking to address the issue?
- Your Data Protection Officer's contact information
GDPR audit requirements
Understanding your requirements, what your present processes are, and identifying any gaps are the first steps toward GDPR compliance. It is critical to conduct a data protection audit in order to achieve compliance. This GDPR Audit Checklist is meant to serve as a starting point rather than a comprehensive audit.
- This regulation talks about six principles that must be followed while processing the data of EU citizens. These principles ensure that all data are protected. They include Accuracy, data minimization, Purpose Limitation, Integrity and confidentiality, Storage limitation, Lawful Transparency, and fairness.
- The GDPR charges companies that the GDPR applies to, to take a risk-based approach towards implementing appropriate technical measures. Conducting a data protection impact assessment (DPIAs) is part of the measure as this measure helps to identify risks and also mitigate it.
- GDPR compliance project is a very big one that would involve all your board members. This is because, without the board support, you might face difficulties.
Role and responsibilities arrangement in an organisation
- GDPR audit should examine how roles and responsibilities are defined in an organisation.
Scope of compliance
- Your scope of compliance must be clearly and accurately defined. This includes identifying the database that holds the personal information.
Analyse the procedure
- Article 30 mandates that controllers keep track of all processing activity under their control.
- An audit should look at these records to see how well each of the data processing principles is implemented for each process that involves personal data, taking into account the lawful bases for processing, any processes for which a DPIA is required, and any processes for which a DPIA could assist in establishing data protection by design and default.
Personal information management system (PIMS)
- A PIMS will properly organise that documentation and should also include staff awareness training. The British standard BS 10012:2017 provides the standards for a PIMS and is consistent with the GDPR's requirements.
The rights of data owners (subjects)
- Under the GDPR, data subjects have the following rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision-making and profiling
Information security management system (ISMS)
- ISO 27001:2013 establishes the requirements for an ISMS, against which organisations can obtain independently audited certification to demonstrate compliance.
A data privacy audit is the foundation on which a company organises its data protection compliance. The objective of the audit is to highlight shortcomings in data protection and help the company comply with all the statutory regulations.
Therefore, the data privacy audit is more than “just” an analysis of the current situation. It is paramount to derive recommended actions from the ‘assessment and monitor’ and document their implementation.
There are still some questions that you would like to get answered? Reach out to one of our GDPR experts now and learn how the DataGuard GDPR solution can empower your business.