Elite CIO Logo

BECOME MEMBER
Back

How to prepare & conduct GDPR audit

  • By Elite CIO
  • Date May 27, 2019
  • Quotes9

How to prepare & conduct a proper GDPR audit

On 25th May 2018, the EU’s General Data Protection Regulation entered into force. Now time has come to conduct regular internal audits to assess compliance levels. The ability to document these audits will be vital in the event of a breach or complaint, because showing that a good-faith effort was made could help avoid a big penalty.

 

Why you should perform a GDPR audit

Many organizations affected by the GDPR are not yet compliant. In particular, small businesses have struggled to comply. A report released by GDPR.eu in May shows a disconnect with European small business leaders' perception of being GDPR compliant and their actual level of meeting key requirements.

 

GDPR.EU surveyed 716 small business leaders in Spain, the United Kingdom, France, and Ireland to understand how their businesses were coping with the new requirements. The results revealed a widespread eagerness to comply with the GDPR.  About 80% of the 716 survey respondents said they were completely or mostly compliant. Yet only 40% were confident that they clearly communicate their data processing activities to data subjects, and 44% were not confident that they always obtained consent to gather or established a lawfult basis to use personal data. These are core GDPR requirements. 

 

At the same time, many people are confused by the more technical aspects of data security, and a significant portion of business leaders admitted they did not comply with central requirements of the law. For instance, two-thirds of individuals claimed their organization uses an end-to-end encrypted email provider. But when asked to specify which provider, only about 9% named a service with this kind of encryption built in. Many named irrelevant companies and technologies,such as “Dropbox” or “the cloud” (the London business owner said “Mailchimp”).Meanwhile, nearly half of respondents said they did not always determine a lawful basis for processing user data before doing so, which is a key provision of the GDPR. (Detailed report is available on GDPR.EU).

 

Also in May, the European Data Protection Board (EDPB) reported that it had received about 65,000 data breach notifications under GDPR and had issued $63 million in fines. Although the report does not mention audits, it stands to reason that organizations reporting a breach that have not done an audit on their GDPR compliance would get more attention than one that did. It’s very essential to conduct GDPR audits to check that processes are in place to deal with the tasks required, including the right to be forgotten & data portability, and so that data protection officers [DPOs] & staff knows what to do in the case of a breach.

 

GDPR audits should involve people outside security, including data governance, IT, legal, and human resources.  Prepare a detailed plan and set of written, action able and assignable processes. As part of this initial phase, we need to assess what EU resident data they collect, where it’s stored, and how and where it’s processed. The audit should ensure that such data is properly identified and once identified, compliancy actions can be specified.

 

When preparing GDPR audit plan, we should be aware about data we hold throughout its life cycle. We should look for GDPR compliance gaps, findings and prioritize and remediate gaps in GDPR compliance Performing a GDPR internal audit may takes time and can cost additional expenses and other resources but the return on that investment can be greater than simply reducing the risk of a fine. The positives of doing well on a self-audit far outweigh the costs and effort required to perform the audit.