Time to audit data compliance?

Two screens on a desk containing data spreadsheets

Date

We’re nearly a year since the frantic preparations for GDPR. How is it all going? Should we be checking? Should we audit data compliance?

Why do I need to complete a data compliance audit?

An audit allows an organisation to understand whether it is complying with the requirements of the Data Protection Act 2018, GDPR and PECR. Art 5(2) of GDPR states that

“The Controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 [the principles]”.

This is often referred to as the ‘accountability’ principle – completing and audit will allow an organisation to demonstrate accountability with the principles.

If the worst happens, and your organisation does suffer a data breach, the ability to demonstrate that you have completed regular audits and reviews of your data protection arrangements may assist in mitigating against a GDPR fine.

Data protection compliance is an ever evolving journey and not a destination. Audits allow organisations to assess any gaps in compliance and any improvements that can be made.

Initial Audit/GAP Analysis

If you haven’t already completed one, its a good idea to start with a full audit/GAP Analysis to benchmark the current level of compliance within your organisation. This audit will then form the basis of any improvements.

You should consider:

  • Do you have the relevant policies and procedures?
  • Have you completed a data audit, clearly documenting what personal data you process and the legal basis for processing it?
  • Do you have up to date data flow maps showing how data moves through your organisation?
  • Do you have a process for dealing with data subject requests within one month?
  • Do you have a process for dealing with data breaches and incidents?
  • Have you updated your contracts of employments and issued a privacy notice to all employees detailing how their data will be processed?
  • Do you have contracts in place with anyone who processes data on your behalf?
  • Do you have training scheduled or already completed?
  • Do you have a culture of privacy by design and default including a DPIA process?

Annual Compliance Audit

Once you have completed the work identified in your initial audit, the annual audit should be a much shorter exercise. The aim of this exercise is to test your process and controls to provide assurance that your organisations policies are being followed and to identify any improvements that can be made.

For an annual audit you should consider:

  • Are your policies and procedures up to date?
  • Do they reflect any process changes which have taken place?
  • Refresh your data audit – are your data flow maps up to date?
  • Is your Data Retention Policy being followed – ask IT to check whether you are holding data that should have been deleted?
  • Are data subject requests being responded to within one month?
  • Are data subject complaints being responded to promptly?
  • Is training up to date?Is there a good level of employee awareness?
  • Do you have contracts in place with all your data processors?

Report to the Board

Following the annual audit, you may want to complete a report to the Board detailing the findings together with MI on the number of data subject requests, data related complaints, breaches, incidents and any contact with the ICO.

How can Teal Compliance help?

Our Teal experts can help you with any aspect of data protection compliance, from carrying out a gap analysis, assisting you with a data audit or creation of policies/procedures to carrying out an independent annual audit. This can be done as a stand alone piece of work or as part of our DPO support service. Get in touch with our experts today.

More
articles

Testimonial from Right Legal
"We have been using Teal to support our compliance frameworks, and every aspect of our experience with them has been fantastic. From the training to the audits, and especially the ‘Ask Teal’ helpline, nothing is too much trouble, and you get quick support from some of the industry’s best compliance experts. Just having them there to support our continued growth takes a huge weight off my mind. Highly recommend to firms of all size and structure!"
Get in touch
Testimonial from Constantine Law
"We rely on Teal Compliance to provide responsive, practical compliance services to Constantine Law (we do not have an in-house compliance officer/function). I would encourage all solicitor firms without their own resource to engage with Teal: they know what they are doing and they provide peace of mind regarding day-to-day compliance matters as well as responses to unforeseen (tricky) compliance matters. They have become an indispensable partner to Constantine Law in our growth journey."
Get in touch
Testimonial from Streathers Solicitors
"We have worked with Teal for several years. They have provided us with AML training and also helped us put together our firm-wide AML risk assessment and our updated AML policy, along with assisting us with various issues as and when they arose. We have always found them to be very helpful, friendly, responsive and knowledgeable, and are happy to recommend them."
Get in touch
Testimonial from Streathers Solicitors
"We have had a relationship with Teal for a number of years and they have provided a valuable resource to our compliance team. Teal combine the delivery of a personal and friendly service with city level expertise."
Get in touch