As data protection consultants, our favoured approach to an audit of data protection compliance is to start by confirming the accuracy and completeness of the organisation’s Article 30 records. These are a record of all current data processing activity carried out by the organisation. Checking that they are complete and up to date will highlight where activities have moved on, potentially an issue under the Principle which restricts processing to stated purposes.
Until you are clear what records are being kept and the reasons for keeping them, it is difficult to scope out an audit.
The Article 30 records will indicate where there is data sharing and use of data processors. This generates an audit action to check that appropriate contracts are in place and that colleagues are aware of contractual specifications and following them, for example always sending personal data securely and to a designated individual at partner firms. It will also highlight any international transfers which should also be added to the audit scope of work.
An audit should also cover: the content of privacy notices, adequacy and relevance of personal data, data retention guidelines and practice, the use of sensitive personal data, policies and procedures and the security of data. These are standard areas for data protection audit. You can find template GDPR policies and procedures online to check the content of in-house policies against.
Other aspects of data protection may or may not apply for example: use of CCTV, audio recording (telephone calls or meetings), marketing, use of employee data if the organisation employs staff, acting as a data processor supplying services to other organisations which involves personal data processing and the identification and management of subject rights of subject rights. The article 30 records will indicate which areas need to be included in the scope of work.
Once an outline scope of work for the audit is determined, it is recommended that a risk assessment be carried out in the light of the organisation’s activity involving personal data. There will always be “hot spots”, issues that management are aware of which are a cause of concern. For example failure to provide adequate Privacy Notices will be a high risk in a consumer facing organisation, failure to correctly apply the Seventh Principle to outsourcing contracts will be a relatively high risk to any organisation which outsources work involving personal data processing.
It may be that the audit has to be scoped to cover just the key risks, depending on the resource available to carry out the work, or you could supplement your resources by using independent data protection consultants.
An approach to identifying and prioritising risk
- Read through your data protection materials so that you have an overall view of the provisions of the GDPR and Data Protection Act 2018.
- Identify the hot spots, the areas where the organisation has had problems in the past or those where it is obvious there may be a problem in the future.
- Take time out to think through each issue and imagine how breaches of data protection law might occur.
Assess the severity of potential breaches based on:
- The type of data being processed.
- The number and type of people likely to be affected.
- The seriousness of the damage likely to be suffered by individuals.
- Whether the organisation has suffered similar breaches in the past.
- To each potential breach, allocate a risk factor, a numerical figure or traffic light, in accordance with your organisations risk management procedure. If you can use like for like risk analysis values it will be easier to communicate concerns to other managers in the organisation.
- Your organisation’s exposure to risk from data protection breaches will emerge together with a priority ranking for auditing for data protection compliance.
At Data Protection Consulting we have twenty years’ experience of carrying out data protection audits. The audit offers an insight for us into the work of our clients and for the client an insight into how data protection law impacts on their activities. The risk based approach is endorsed by regulators and is intrinsic to the GDPR. Controls being appropriate to the circumstances of the data processing is a key GDPR phrase. For more help with carrying out data protection audits contact us today at www.dataprotection.me.uk