If you need to know one thing about the GDPR, it’s this: every organisation that processes personal data must comply with it. Those who don’t risk investigation and possible enforcement from the ICO – the Information Commissioners’ Office. In the most severe cases, they may impose a fine of up to £17m, or 4% of your group turnover. The way to avoid that? A custom, independent audit. In this article we discuss custom audits in detail, and how you can get started with yours today.
One of the most challenging aspects of a custom GDPR audit is because every business is different, what’s relevant in one case isn’t always relevant in another. This makes applying lessons learned here and there difficult. However, one’s organisational responsibilities never change, and we can use these to make a start.
This is an important starting point because your data protection policy should, by design, fulfil your organisational responsibilities under the GDPR. These are set by the principles of the GDPR which lie at the heart of the Regulation.
Fines for non-compliance
The fines for non-compliance are huge. Under the now defunct Data Protection Act 1998, the maximum fine for non-compliance was £500,000. Under the Data Protection Act 2018, which implements the GDPR in the United Kingdom, the maximum fine for non-compliance is £17 million or 4% of group annual turnover (whichever is highest).
With this in mind, a GDPR audit will be essential for many organisations to ensure they identify any areas of non-compliance and implement a plan of remediation.
Enforcement action is imposed when data breaches and processing activity have, or could risked the rights and freedoms of people associated with the organisation – personnel, clients, suppliers and other data subjects.
If suffer a data breach, you are legally obliged to investigate the incident within 72 hours of its discovery, having to report certain types of data breach to the ICO within this timescale. They will then decide if it should be formally investigated.
Your organisational responsibilities
Under the GDPR, your organisational responsibilities are:
· To implement measures that meet the principles of data protection by design and data protection by default
· To analyse and document the type of personal data your business collects, holds and processes, including low risk and high risk
· To maintain relevant documentation on processing activities
· Where appropriate, to appoint a data protection officer
· To check your procedures for processing personal data and make sure you enable the individual rights of data subjects
· To implement appropriate technical and organisational measures that ensure and demonstrate that you comply with the above
These are also essential prerequisites for demonstrating you comply with the GDPR. No organisation is immune to the GDPR, so the above responsibilities are relevant to everyone, whatever their industry, niche, background or legal structure. As such, these responsibilities should drive your custom GDPR audit.
The role of an audit is to provide an assessment of whether your organisation is following good data protection practice. Auditing your GDPR compliance will uncover issues with your existing policy which you can then rectify.
Depending on the needs of your organisation, your audit will cover the following areas:
· The scope and plan of your project
· Data protection governance, policies and procedures
· The processes you have for managing personal data
· The processes you have for responding to subject access requests
· The processes you have for dealing with personal data breaches
· The technical and organisational measures you have in place to ensure the adequate security of personal data
· The training and monitoring of staff with regards to data protection, and the culture of data protection within your organisation.
The GDPR does not set out a checklist for auditing; instead, your audit will be custom to your organisation based on the scope and plan of your project. The direction it takes will be largely determined by the legal basis you have for processing, the type of data you process, the scale of that data and the number of data subjects.
If you do not have the means to perform your own audit, you can seek an independent audit from the ICO. The ICO will give you an ‘internal audit opinion’ and make recommendations on how to improve our processes and procedures.
If you are not happy with having the ICO in to audit your business, then we suggest you engage with a professional organisation to perform a GAP analysis. They will identify all areas of non-compliance and provide a project plan of remediation to close these gaps and ensure the organisation’s processing activities reflect the demands of the GDPR.
Appoint a DPO
Your organisation will be legally required to appoint a DPO if it is a public authority (excluding courts acting in a judicial capacity), if your organisation's core activities require the regular and systematic monitoring of individuals on a large scale, or if your organisation's core activities involve the processing on a large scale 'special categories' of personal data. This is set out in Article 37 of the GDPR.
If you are not obligated to appoint a DPO, you may do so anyway, and this will be a good move if your processing needs are complex.
The data protection officer’s role is to inform and advise you on your processing activities. They will audit your processes and recommend the next steps your organisation should take for compliance. Whether you are at the beginning of your strategy or in the middle of it, the value a DPO will bring to your organisation will be immeasurable.
Now that you have four ways to approach a custom audit (by yourself, with the ICO, with an external consultancy, or the help of a DPO) you have several ways to demonstrate accountability.
A custom audit is essential to implement measures that meet the principles of data protection by design and data protection by default. Running an audit really is a no-brainer for every organisation, big and small, so get started.