Fast Effective GDPR Audits

GDPR and performing a data audit

For many business owners, GDPR can seem like a complicated piece of legislature. It is vitally important that you are compliant, otherwise you could face a heavy fine. 

You probably have many questions, and you may wonder whether a data audit is necessary for your organisation.  

You may be asking yourself: 

• How much will it cost? 

• How long will it take?  

• Will an audit interrupt the flow of my business? 

You might be feeling overwhelmed and not sure where, or how, to begin. 

Rest assured that we are committed to making your audit as efficient and cost-effective as possible while causing minimum disruption to you and your staff. 

Why conduct a data audit? 

The primary reason to conduct a data protection audit is to discover if your business is currently abiding by GDPR laws. An important first step towards GDPR compliance is for a business to determine what data they hold. A data audit will establish: 

• The reason you are collecting personal data 

• What personal data you are collecting 

• How that data is being stored and processed 

• Whether (or not) you are processing that data legally 

Conducting a thorough data audit will provide your business with the information it needs to identify weaknesses in your GDPR processes, areas that need to be changed or practices which may not be necessary.  

Does my business need a GDPR audit? 

If your business intends to follow GDPR rules and laws, then carrying out a comprehensive privacy audit is crucially important. A data audit is the best way for a business to establish their compliance with GDPR laws. 

Six Data Protection Principles are outlined: 

• Lawfulness, transparency, and fairness

• Purpose limitation 

• Data Minimisation 

• Accuracy 

• Storage limitation 

• Integrity and confidentiality   

You must obtain, store and process personal data only in a legal manner. Personal data must be stored no longer than is necessary. Data must be collected for a specified purpose and held only long enough to achieve that purpose. The data you hold must be accurate and you have an obligation to update or remove data that is inaccurate. The data you hold must be protected against unlawful usage or accidental loss. Appropriate methods must be used to securely maintain the data that you hold. 

A professional data audit will determine if you are doing everything correctly and lawfully.

What penalties do I risk by not being GDPR-compliant?

Not complying with GDPR data protection laws can have serious legal consequences including significant fines.  

Must small businesses comply with GDPR? 

If your business processes personal data then you will need to be fully compliant with GDPR, regardless of your size.     

Post Brexit GDPR - must I still comply? 

UK businesses will still have to comply with GDPR laws even after leaving the EU. Existing data protection legislation has been merged with new regulations to create a new ‘UK GDPR’ framework. The best thing for any business to do is to follow good practices on data security to protect its individual data subjects, as well as itself.

Is a data audit a legal requirement? 

No, the GDPR does not legally require a business to complete a data audit. An audit, however, is the only way of knowing if your business is compliant. You must have lawful reasons for obtaining and storing personal data, and you must do so in an appropriate legal manner. An audit will help you assess and strengthen your GDPR processes (and thus avoid a heavy fine for non-compliance). 

Is a data audit difficult? 

An audit should be straightforward in most cases. The first audit will usually be the most difficult as data management will need to be mapped out. Further data protection checks will need to be undertaken periodically.  

A data auditor will ask several questions to obtain information necessary for the audit, including, but not limited to: 

• What personal data does your company gather and store? 

• How is the data collected? 

• Why do you need to possess this data? 

• How is the data stored? 

• How is it secured? 

• How long is it kept? 

• How is the data used? 

What data is protected by GDPR? 

Data protection applies to personal and sensitive data. Some examples include: 

• Bank details 

• Names  

• Addresses 

• Email addresses 

• Phone numbers 

• Date of birth 

• Employment details 

• Sexual orientation 

• Religious beliefs 

• Political views 

Personal data is information that relates to a person (a data subject) - not a company.  

Why should I use a professional GDPR data auditor? 

Putting your GDPR audit into the hands of an expert will ensure that a thorough and professional job will be done.  An expert will perform an objective assessment of your business regarding your data protection needs.  

• We guarantee minimum disruption to your business. 

• We will work with you and your staff to suit your schedule. 

• Our GDPR consultants will tailor your GDPR strategy to create a personalised plan of action. 

• Staff training can be provided so that the importance of data protection is understood, and costly errors are avoided. 

We offer a service that is cost-effective and time efficient. 

We will ensure your business achieves the necessary level of GDPR compliance and is able to easily maintain that legal status going forward. 

Objectivity means that your business will be assessed in the same way that a regulatory body would conduct a review. Our experts know exactly what is needed to establish and maintain your GDPR compliance. An external GDPR audit demonstrates that you have taken steps to ensure that your business is compliant. It shows that you take your GDPR obligations seriously.  

Will I need to contact the ICO? 

The objective of a data audit is to assess your business to check if it is GDPR compliant. This will include looking at how data flows through your business and identifying potential flaws in your system that could lead to a data breach.  

Ensuring you are protecting data sufficiently is important, as is documenting your data flow so you can demonstrate your compliance. 

What happens if my organisation has a data breach?

A data breach is broadly defined under the GDPR and a breach could include loss or destruction of personal data, data that has been unlawfully altered, personal data that has been disclosed deliberately or accidentally. This could include leaving a hard drive containing databases on public transport, or inadequate IT security protocols which allow unauthorised access to personal data.   

If you become aware of a data breach, then you must take immediate action to contain the breach as well as take appropriate steps to remedy the situation. 

Will I need to contact the ICO? 

The Information Commissioners Office (ICO) should be notified if a breach has occurred that is likely to result in a potential risk to the rights of the individual/s whose data has been breached. Businesses should assess what types of breaches they may face as well as the potential risks to individuals (financial loss, discrimination, etc) those breaches could entail.  

You would be required to provide the ICO with information including: 

The type of breach, how it occurred and how many people are likely to be effected 

• What the potential consequences are due to the breach 

• What actions you are taking to remedy the problem 

• The contact details of your Data Protection Officer 

How can I arrange a professional GDPR audit? 

Get in touch and let us know your GDPR needs. We will need to discuss your current procedures and ask questions about how you handle data and why. We will need to speak to members of your organisation who are involved in data collection. We will be able to discuss costs, work schedules and length of time necessary to complete the audit.  

What happens after the audit is complete? 

Once your GDPR audit has been completed we will be able to help you to create a plan to ensure your compliance. You may need to change your procedures, ensure your data is more secure, and appoint a data protection officer. You will then be secure in the knowledge that your business is GDPR compliant and you are able to demonstrate that with appropriate documentation.  

What to do next:

• Please contact us now and let us remove the stress of managing data compliance in your business.  

• We handle the complete scope of any data privacy requirement

Simple, straightforward and highly competitive costs for the UK’s leading privacy agency.

As with our ethos, our pricing structure is simple, straightforward and highly competitive!

We charge £125 per hour (plus VAT), per consultant, irrespective of the task, or engagement. This is highly competitive compared to other London GDPR consultancy services – why pay more for GDPR compliance, if you still have access to the experts?

When on site, our working day is 9am – 5pm.  For site visits, reasonable subsistence expenses are charged, however these are all agreed by you in advance. On large-scale projects, where our Global Privacy Consultants are engaged, fees are £1,250 + VAT.

Our hourly rates mean you only pay for EXACTLY the time we need for the task – our hours are recorded on timesheets, so we are fully accountable for time vs tasks!

At Privacy Helper, we pride ourselves on tailoring packages to suit your business – your needs and your budget.  That is why we don’t offer pre-packaged services that your business has to try and fit into.

Once we have conducted the data discovery phase, or reviewed your existing GAP analysis documents, we’ll propose a set number of days per month – based on the size of the business, the challenges you face and the amount of guidance you’ll need from us.

This resourcing model is perfect for most companies, as it offers you the flexibility to use our time intensively when the need arises, but to keep time to a minimum at other times. You remain in complete control of your budgets!

Why choose us?

Click here to find out why we are the UK’s #1 privacy consultancy.