{"id":5554,"date":"2018-09-11T09:45:00","date_gmt":"2018-09-11T14:45:00","guid":{"rendered":"https:\/\/www.poweradmin.com\/blog\/?p=5554"},"modified":"2018-09-13T12:44:20","modified_gmt":"2018-09-13T17:44:20","slug":"5554-2","status":"publish","type":"post","link":"https:\/\/www.poweradmin.com\/blog\/5554-2\/","title":{"rendered":"GDPR Compliance Auditing Tips"},"content":{"rendered":"

By Des Nnochiri\u00a0<\/strong><\/span><\/p>\n

\u00a0<\/p>\n

Now that the General Data Protection Regulation (GDPR), drawn up by the European Union (EU), has finally come into effect, many of the affected organizations have been scrambling to keep up with the auditing and operational requirements of a compliance regime that\u2019s widely recognized as one of the most stringent and comprehensive regulatory frameworks ever devised for protecting data privacy.<\/span><\/p>\n

\u00a0<\/p>\n

\"\"<\/a><\/span><\/p>\n

Auditing has emerged as one of the primary obligations under the scheme since a \u201cthorough and exhaustive\u201d data and information audit of each affected business is only the first required step in achieving GDPR compliance. Compliance monitoring, auditing, and reporting must also be conducted on a more or less perpetual basis if an acceptable compliance status is to be maintained.<\/span><\/p>\n

\u00a0<\/span><\/p>\n

In this article, we\u2019ve assembled a set of recommendations and best practices to assist in this process.<\/span><\/p>\n

\u00a0<\/span><\/p>\n

Why Auditing is Necessary<\/span><\/h2>\n

\u00a0<\/span><\/p>\n

At the heart of the GDPR is an attempt at getting individuals and organizations that routinely use personal data to treat this information more responsibly. To this end, the GDPR compliance framework sets out numerous conditions which must be met by those collecting and handling personal data, while establishing certain legal rights for the people whose data is being collected and handled.<\/span><\/p>\n

\u00a0<\/span><\/p>\n

GDPR defines two major classes of data users to whom its terms apply. On the one hand are data controllers \u2013 the primary collectors and benefactors of digital data gathering, defined in legal terms<\/span><\/a> as \u201cthe natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.\u201d<\/span><\/p>\n

\u00a0<\/span><\/p>\n

On the other hand are data processors \u2013 the individuals or agencies which modify, store, and manipulate information on behalf of their clients (who are the data controllers).<\/span><\/p>\n

\u00a0<\/p>\n

\u00a0<\/p>\n

\"\"<\/a>GDPR establishes legal rights for EU citizens and residents in respect of their personal data, including rights of access, the ability to have it altered on demand, and to have it deleted entirely by the data controller or processor that\u2019s acquired it. Substantial penalties and sanctions are applicable to organizations or individuals that don\u2019t meet the GDPR\u2019s stringent conditions.<\/span><\/p>\n

\u00a0<\/span><\/p>\n

Though it\u2019s been drafted in respect of EU individuals, the GDPR\u2019s terms apply to anyone, anywhere who has reason to deal with the personal information of EU citizens or any individuals who are in the EU at the time when their data is collected or processed. This would include shoppers or business travelers who use a credit card while on a trip to Europe or cloud services whose infrastructure is based in that continent.<\/span><\/p>\n

\u00a0<\/span><\/p>\n

GDPR is a complex legal framework that has accountability as one of its core principles. Auditing is necessary for organizations to monitor their privacy and compliance programs, assess compliance levels, check that procedures are in place to deal with all the GDPR tasks and conditions required, and to demonstrate due diligence to GDPR regulators in the case of any violations that occur.\u00a0\u00a0\u00a0 <\/span><\/p>\n

\u00a0<\/span><\/p>\n

Knowing Who\u2019s Involved<\/span><\/h2>\n

\u00a0<\/span><\/p>\n

To begin the auditing process, it\u2019s first necessary to establish the \u201cchain of custody\u201d associated with the personal information your organization handles. In other words:<\/span><\/p>\n

    \n
  1. What information does your organization hold?<\/span><\/li>\n
  2. Where is this information stored?<\/span><\/li>\n
  3. What is personal data routinely used for?<\/span><\/li>\n
  4. Who has access to this data?<\/span><\/li>\n
  5. How long is the information retained?<\/span><\/li>\n
  6. Is any data shared with external agencies \u2013 and if so, how, and under what conditions?<\/span><\/li>\n<\/ol>\n

    \u00a0<\/span><\/p>\n

    Creating a GDPR Audit Plan<\/span><\/h2>\n

    \u00a0<\/span><\/p>\n

    The information established from the previous step may then be used to create a GDPR compliance audit plan<\/a><\/span>, documenting necessary activities and parties responsible for implementing the GDPR\u2019s requirements. As a guide, the International Standards Organization (ISO) publishes a set of templates, including one for drawing up actionable plans such as this. <\/span><\/p>\n

    \u00a0<\/span><\/p>\n

    Systematically Discover GDPR Compliance Gaps<\/span><\/h2>\n

    \u00a0<\/span><\/p>\n

    Since much of the GDPR framework is concerned with the processes used in dealing with both private individuals and their data, the audit process must take into account your existing mechanisms for data processing, dealing with information access requests, the transfer of information, privacy protection, and technical and security controls.<\/span><\/p>\n

    \u00a0<\/span><\/p>\n

    Each of these has the potential to fall short of the GDPR\u2019s requirements, so all of them must be checked for compliance gaps and errors.<\/span><\/p>\n

    \u00a0<\/span><\/p>\n

    Document Your Findings<\/span><\/h2>\n

    \u00a0<\/span><\/p>\n

    The results of this assessment should then be assembled into a report documenting your organization\u2019s ability (or otherwise) to comply with the various GDPR conditions. This may take the form of an extensive review or be in a shorter format, such as a check-list.<\/span><\/p>\n

    \u00a0<\/span><\/p>\n

    Prioritize the Results <\/span><\/h2>\n

    \u00a0<\/span><\/p>\n

    Any areas highlighted by the report as being out of compliance with GDPR should be prioritized for their level of importance within the framework and according to the degree of risk they pose to your organization.<\/span><\/p>\n

    \u00a0<\/span><\/p>\n

    Take Remedial Action<\/span><\/h2>\n

    \u00a0<\/span><\/p>\n

    On the basis of this prioritized list of issues, you must then decide upon and take the necessary actions to put things right, and bring your organization back into a GDPR-compliant state. Note that this may require the allocation of budgetary resources, some reshuffling of your existing operations, and\/or the recruitment of additional skills.<\/span><\/p>\n

    \u00a0<\/span><\/p>\n

    Test and Retest Your Remedies<\/span><\/h2>\n

    \u00a0<\/span><\/p>\n

    The new controls and remedial processes determined by the auditing process must then be tested and re-tested to ensure that they have the desired short- and longer-term effects in maintaining your GDPR compliance status.<\/span><\/p>\n

    \u00a0<\/span><\/p>\n

    Make GDPR Compliance Auditing a Continuous Process<\/span><\/h2>\n

    \u00a0<\/span><\/p>\n

    Finally, the GDPR compliance auditing process must also be repeated on a regular basis<\/span><\/a> \u2013 not only as part of an ongoing program of monitoring and enforcement to ensure that your data privacy measures align with GDPR requirements, but also to ensure that your privacy and compliance programs are functioning in tandem with your existing business processes.<\/span><\/p>\n

    \u00a0<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

    By Des Nnochiri\u00a0 \u00a0 Now that the General Data Protection Regulation (GDPR), drawn up by the European Union (EU), has finally come into effect, many of the affected organizations have been scrambling to keep up with the auditing and operational requirements of a compliance regime that\u2019s widely recognized as one of the most stringent and […]<\/p>\n","protected":false},"author":15,"featured_media":5557,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[42,1],"tags":[48,47,23,26],"class_list":["post-5554","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-uncategorized","tag-auditing","tag-compliance","tag-data","tag-gdpr"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/5554","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/users\/15"}],"replies":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/comments?post=5554"}],"version-history":[{"count":4,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/5554\/revisions"}],"predecessor-version":[{"id":5569,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/5554\/revisions\/5569"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/media\/5557"}],"wp:attachment":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/media?parent=5554"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/categories?post=5554"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/tags?post=5554"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}