How to Audit for GDPR Compliance?

Auditing for GDPR Compliance

Conducting regular General Data Protection Regulation (GDPR) compliance audits is a necessity for any business subject to this wide-reaching data protection legislation. Helping not only to avoid the substantial penalties associated with non-compliance, but to also better understand how it is your organisation works with personal data.

Allowing you to discover risks and flaws in your operation, regular GDPR compliance audits demonstrate to regulators the reasonable steps you have taken in maintaining compliance and your efforts to improve overall security.

While regular GDPR compliance audits are crucial, many organisations still require some guidance regarding how to effectively examine their operation and evaluate if the required standards are truly being met. As such, below are six questions to ask when starting the process of auditing your organisation for GDPR compliance.

1) What are the Rights of Your Data Subjects?

To start this process, it is a good idea to first consider the fundamentals that underpin the GDPR. Accordingly, you must be informed about the rights of data subjects. As well as rights related to automated decision making, including profiling (further information about this can be found here), the following are the rights afforded to individuals under the GDPR:

• To be informed

• To object

• To data portability

• To rectification

• To erasure

• To restrict processing

• To access

2) What Types of Personal Data Do You Collect?

In addition to the individual rights, an essential step is clarifying the data you collect and how different types are defined according to the GDPR. GDPR classifies personal data into two categories.

The first category of personal data is the basic information that can help in individual identification and includes:

• Subject names

• IP addresses

• Identification numbers

• Physical addresses

• Phone numbers

• Location data

• Email addresses

The second is defined as 'special categories of personal data'. More sensitive in nature, and therefore requiring of a higher level of protection, this 'special category' includes personal data relating to an individual's:

• Race

• Ethnic origin

• Political opinions

• Religious or philosophical beliefs

• Trade union membership

• Genetic or biometric data (where this is used for identification purposes)

• Health data

• Sex life; or

• Sexual orientation

3) How Do You Collect this Data?

Write down your sources for the subject data you collect, ideally documenting whether you collected the data from third parties or directly from the data subjects.

You should be able to differentiate the methods used to gather this data and be able to show proof that the consent of the data subject was obtained for the collecting and processing of their data. Additionally, be sure to document that the data subjects were aware of your data policy at the time of collection.

4) Why Do You Hold This Data?

When considering the personal data being held, as well as the processing of this data, organisations must have a valid lawful basis for doing so. The lawful basis must be determined before any personal data is processed.

There as six lawful bases that can be used: legitimate interests, consent, contract, legal obligation, vital interests, or public task. Accordingly, organisations are required to document the purposes for collecting personal data.

For instance, you may indicate that you collect and store the information for service maintenance purposes, product development or improvement, and system maintenance, among others. You should also be able to show proof of the exact purpose for gathering this data and the lawful basis for using it.

5) How Long Do You Retain Data?

Generally known as 'storage limitation', the GDPR clearly states that without a valid basis, personal data held by organisations cannot be held indefinitely, and must only be kept for as long as the stated purpose requires.

Depending on your purpose, how long you retain data will vary, though you are required to produce a policy setting standard retention periods wherever possible in order to comply with documentation standards.

It is also worth noting that the UK's data protection regulator, the Information Commissioner's Office (ICO) recommends that periodical reviews into the data you hold should be conducted, as well as the erasure of data that is no longer needed.

6) What are Your Data Protection Policies?

By documenting and communicating what people need to do and why, policies and procedures provide clarity and consistency to your data protection efforts.

Where proportionate, the GDPR specifically requires these policies to be in place, and though their required level of detail varies, the policies are an essential step in complying with legal obligations.

Put clearly, the data protection watchdog (ICO) asserts that you are required to have policies and procedures which "ensure data protection issues are considered when systems, services, products and business practices involving personal data are designed and implemented, and that personal data is protected by default."

Additionally, one of the most important aspects of your data protection policy should be staff awareness, with the data authority stating that staff are required to have read and understood these policies, as well as updating staff as to any changes made to these documents.

GDPR Compliance

With potential fines for GDPR non-compliance currently set at £17.5 million or 4% of annual global turnover, whichever is greater, as well as the potential reputational costs, it has never been as important for organisation to ensure they are meeting data protection standards.

Both legally and ethically, the protection of personal data is the responsibility of any organisation dealing with this form of information. By asking these questions and completing regular audits, your organisation helps to ensure that individuals, clients, and staff can trust you to use their information fairly and responsibly.