GDPR Audit

12 December 2022

As an employer, you may have to store personal data within your company. This is typically the private details of your customers, clients or employees. Even someone visiting your website can provide you with their personal information, so you must keep it safe at all times.

Failure to do so can lead to a large data breach, which can mean a loss of customers and heavy fines to pay. So it's vital you carry out a GDPR audit to ensure this doesn't happen in your company.

In this guide, we'll discuss what GDPR audit is, what's covered by them, and the benefits of carrying one out.

What is GDPR?

General data protection regulation (GDPR) is legislation that outlines data protection laws.

The regulations ensure companies who collect personal data, store and process them legally. This is usually on customers or clients within the business. So you need to be aware of what sort of customer data is protected by this legislation.

What data is protected by GDPR?

If you're a controller and have means of processing personal data, then GDPR applies to you. A controller is a person who makes decisions regarding the personal data of your customers or clients.

If your organisation collects or stores personal data of any type from UK or EU citizens, you need to comply. This includes:

  • Bank details.
  • Name and date of birth.
  • Contact details.
  • Employment details.
  • Sexual orientation, religious beliefs, and political views.

The regulations brought in new rights for individuals whose data is being stored. This includes the right to erasure, the right to restrict processing, and the right to request the transfer of data to another controller (data portability).

Essential GDPR terms

To ensure you're doing all you can to protect personal data, you need to understand the essential terms that surround GDPR.

So, let's discuss them in more detail:

Personal data

Personal data is any information that is related to a person (a data subject) and not a company. This form of data is made up of several pieces of different information, that when put together can identify a specific person.

Special category data

Sensitive personal data is a special type of data which are subject to additional safeguards. For example, health-related data.

To store this kind of data, you must need a lawful basis and separate condition for processing special category data

Data processing

Data processing is any activity or operation that is carried out to do with personal data. This is arguably the most important part of GDPR as the wrong processing can cause a data breach.

You need to make sure your processing of personal data is lawful. 

What is a GDPR compliance audit?

Under UK GDPR, companies are obliged to regularly check they comply with the regulations. This involves looking for potential risks, and finding how they can be reduced. Carrying out an audit is the best way of doing this.

A GDPR compliance audit is a full examination and independent assessment of a company's data handling. They help to implement the following regulations:

  • UK GDPR.
  • The Data Protection Act 2018.
  • The Privacy and Electronic Communications Regulations Provisions.

Conducting an audit is a good foundation for a company to organise its data protection compliance.

Are GDPR audits a legal requirement?

No, GDPR audits aren't a legal requirement in the UK. However, it's good practice to take the legalities surrounding data security seriously.

If a claim is raised against you following a data leak in the future, carrying out an audit will support you.

Why is a general data protection audit important?

A GDPR audit is the only way you can be sure that your business is compliant with the regulations. You must have a lawful basis for each processing activity involved. An audit will help you demonstrate it.

The audit will help establish the following:

  • The reason why you're collecting personal data.
  • What personal data you're collecting.
  • Why do you need to store that data.
  • How that data is being stored and processed (consensual, contractual, or a legal obligation).
  • How long is the data kept for.

As an employer, you must have a lawful basis for storing personal data. And, carrying out a data audit will help you pinpoint what changes are needed to make GDPR compliance easier. You must take a risk-based approach to all your data handling.

What are the benefits of conducting a GDPR audit?

There are many benefits that conducting a GDPR audit can bring to your company. So as an employer, you need to be familiar with them:

  • Strengthens your GDPR processes.
  • Allows you to make changes to your data storage processes and avoid breaches.
  • Increases customer confidence in you.
  • Prevents large fines and legal trouble in the future.

You also need to understand when you need to carry out an audit in your company.

When do you need to carry out a GDPR audit?

If your business handles data for a specific purpose and needs to follow GDPR rules, then an audit is critically important. There are six key areas a GDPR audit covers in data protection.

The six data protection principles are as follows:

  • Lawfulness, data transparency, and fairness.
  • Data purpose limitation.
  • Data minimisation.
  • Data storage limitation.
  • Confidentiality and integrity.

As an employer, you need to understand how to carry out an audit within your company. You must ensure compliance with data protection at all times.

 two people discussing confidential documents

How to carry out an audit?

Although there's no specific way an audit should be carried out, you should aim to cover everything to do with data protection.

The following is a GDPR compliance audit checklist that includes the areas that you should cover.

Risk management

You must take a risk-based approach to your audit. This includes implementing appropriate technical and organisational measures to protect personal data, which involves conducting a DPIA.

DPIA stands for data protection impact assessment. They are a type of risk assessment that helps to identify the risk and effects of processing data incorrectly. For example, a large data breach can lead to the leakage of customers' personal data, along with reputational damages.

Ensure top-level support for GDPR

A GDPR compliance project needs the support of everyone in the company. Without the whole company's support and backing, it's difficult for you to comply with regulations.

An audit will help determine the size of the project to see if it's realistic and achievable for your company.

Appointing a data protection officer

The regulations require the appointment of a data protection officer (DPO) if the following criteria are met:

  • If the data processing is carried out by a public authority or body.
  • If the organisation's core activities require regular and systematic monitoring of data subjects on a large scale.
  • If the organisation's core activities involve the processing of special categories data or data relating to criminal offences on a large scale.

It's good practice to appoint a DPO even if your company doesn't fit any of the above criteria.

The DPO should be an expert on all things data protection. Their job is to constantly monitor GDPR compliance, assess data protection risks, and advise you on data protection impact assessments.

Examine your roles and responsibilities

The audit allows you to fully examine all your roles and responsibilities to do with GDPR. This includes training, any measures put in place, as well as the effectiveness of your onboarding and offboarding processes.

This may highlight any changes that need to be made.

Process analysis

The audit helps to establish each process that involves personal data, and whether the processes you have in place are legal. You should maintain records of all processing activities, doing so can prove crucial in the future.

The analysis must be thorough and examine every process to do with personal data.

Creating protection data documents

An audit will help you to create the correct data protection documents needed to reduce the potential risk of data breaches. How many you require will depend on the size of your company. This documentation will include:

  • Your data protection policy.
  • Your data breach notification procedure.
  • Any subject access request forms.
  • Your DPIAs.
  • Privacy notices.
  • Any data consent forms.

This can be done via a Private security management system (PIMs). PIMs are aligned with IS0 27701, which specifies the requirements for a PIMs.

Implementing security measures

You must implement security measures to protect personal data, this is done via an information security management system (ISMS).

An ISMS should include a review of the methods for testing your data security, established cyber security, standards and codes of practice. ISMS requirements are stated within ISO 27001:2013.

Following the rights of data subjects

Throughout the audit, you must remember the rights of the people whose data you're storing. Your processes and security measures must ensure you're following the below:

  • The right to be informed.
  • The right of access.
  • The right of rectification.
  • The right to erasure.
  • The right to restrict processing.
  • The right to data portability.
  • The right to object.
  • Rights concerning automated decision-making and profiling.

In essence, a customer has the final say on what happens to any of their data.

two female employees talking next to a laptop

Who can carry out a data audit?

You need to be aware of who can carry out a data audit in your company. Anyone who has appropriate knowledge or experience can carry out these audits.

These tend to be data protection officers, data protection coordinators, or IT security officers. You can choose to appoint in-house staff or external providers.

What happens if you don't conduct a GDPR audit?

It's a legal requirement to abide by the regulations, non-compliance can lead to serious legal trouble for your business. Companies that don't abide by GDPR regulations or suffer a data breach, can be hit with extremely heavy fines.

So conducting an audit can help protect yourself against future data breaches, whether by mistake or intentionally.

You must be able to demonstrate compliance if required. All employers should provide staff awareness training regarding data protection. This training should make your employees aware of how to avoid a data breach, and what can potentially happen if it occurs in your company.

What to do if you have a data breach?

A data breach is when personal data is stolen, taken without your knowledge, lost or disclosed by accident.

If you become aware of a possible breach within your company, you need to take immediate action. Firstly, you need to assess what type of breaches you're facing as well as the potential risks. These can range from financial loss to discrimination.

You're required to make the Information Commissioners Office (ICO) aware of the breach, withing 72 hours where feasible. You must also share the following information:

  • The type of breach, how it happened, and how many people will be affected.
  • What the potential consequences of the breach are.
  • What actions you are taking.
  • The full contact details of the data protection officer.

Get expert advice on GDPR audits from Peninsula

As an employer, you may have to store the personal data of your clients and customers. This can range from their contact, employment, or health details. Even someone visiting your website can provide you with their information, and you're responsible for keeping that data safe.

Failure to do so can lead to a large data breach, which can mean a loss of customers, and heavy fines to pay. So it's vital you carry out and GDPR audit to ensure this doesn't happen in your company.

Peninsula offers you expert 24/7 HR advice and support, helping you to protect your employees personal data Contact us on 0800 028 2420

 

 

Suggested Resources