By Des Nnochiri
Now that the General Data Protection Regulation (GDPR), drawn up by the European Union (EU), has finally come into effect, many of the affected organizations have been scrambling to keep up with the auditing and operational requirements of a compliance regime that’s widely recognized as one of the most stringent and comprehensive regulatory frameworks ever devised for protecting data privacy.
Auditing has emerged as one of the primary obligations under the scheme since a “thorough and exhaustive” data and information audit of each affected business is only the first required step in achieving GDPR compliance. Compliance monitoring, auditing, and reporting must also be conducted on a more or less perpetual basis if an acceptable compliance status is to be maintained.
In this article, we’ve assembled a set of recommendations and best practices to assist in this process.
Why Auditing is Necessary
At the heart of the GDPR is an attempt at getting individuals and organizations that routinely use personal data to treat this information more responsibly. To this end, the GDPR compliance framework sets out numerous conditions which must be met by those collecting and handling personal data, while establishing certain legal rights for the people whose data is being collected and handled.
GDPR defines two major classes of data users to whom its terms apply. On the one hand are data controllers – the primary collectors and benefactors of digital data gathering, defined in legal terms
as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”
On the other hand are data processors – the individuals or agencies which modify, store, and manipulate information on behalf of their clients (who are the data controllers).
GDPR establishes legal rights for EU citizens and residents in respect of their personal data, including rights of access, the ability to have it altered on demand, and to have it deleted entirely by the data controller or processor that’s acquired it. Substantial penalties and sanctions are applicable to organizations or individuals that don’t meet the GDPR’s stringent conditions.
Though it’s been drafted in respect of EU individuals, the GDPR’s terms apply to anyone, anywhere who has reason to deal with the personal information of EU citizens or any individuals who are in the EU at the time when their data is collected or processed. This would include shoppers or business travelers who use a credit card while on a trip to Europe or cloud services whose infrastructure is based in that continent.
GDPR is a complex legal framework that has accountability as one of its core principles. Auditing is necessary for organizations to monitor their privacy and compliance programs, assess compliance levels, check that procedures are in place to deal with all the GDPR tasks and conditions required, and to demonstrate due diligence to GDPR regulators in the case of any violations that occur.
Knowing Who’s Involved
To begin the auditing process, it’s first necessary to establish the “chain of custody” associated with the personal information your organization handles. In other words:
- What information does your organization hold?
- Where is this information stored?
- What is personal data routinely used for?
- Who has access to this data?
- How long is the information retained?
- Is any data shared with external agencies – and if so, how, and under what conditions?
Creating a GDPR Audit Plan
The information established from the previous step may then be used to create a GDPR compliance audit plan, documenting necessary activities and parties responsible for implementing the GDPR’s requirements. As a guide, the International Standards Organization (ISO) publishes a set of templates, including one for drawing up actionable plans such as this.
Systematically Discover GDPR Compliance Gaps
Since much of the GDPR framework is concerned with the processes used in dealing with both private individuals and their data, the audit process must take into account your existing mechanisms for data processing, dealing with information access requests, the transfer of information, privacy protection, and technical and security controls.
Each of these has the potential to fall short of the GDPR’s requirements, so all of them must be checked for compliance gaps and errors.
Document Your Findings
The results of this assessment should then be assembled into a report documenting your organization’s ability (or otherwise) to comply with the various GDPR conditions. This may take the form of an extensive review or be in a shorter format, such as a check-list.
Prioritize the Results
Any areas highlighted by the report as being out of compliance with GDPR should be prioritized for their level of importance within the framework and according to the degree of risk they pose to your organization.
Take Remedial Action
On the basis of this prioritized list of issues, you must then decide upon and take the necessary actions to put things right, and bring your organization back into a GDPR-compliant state. Note that this may require the allocation of budgetary resources, some reshuffling of your existing operations, and/or the recruitment of additional skills.
Test and Retest Your Remedies
The new controls and remedial processes determined by the auditing process must then be tested and re-tested to ensure that they have the desired short- and longer-term effects in maintaining your GDPR compliance status.
Make GDPR Compliance Auditing a Continuous Process
Finally, the GDPR compliance auditing process must also be repeated on a regular basis – not only as part of an ongoing program of monitoring and enforcement to ensure that your data privacy measures align with GDPR requirements, but also to ensure that your privacy and compliance programs are functioning in tandem with your existing business processes.
