Auditing for GDPR Compliance - Guest Blog

You must do regular (GDPR) compliance audits if your business is subject to the EU General Data Protection Regulation (GDPR) policies. It will help you ascertain that your organization meets the EU GDPR obligations and avoid possible penalties.

Regular GDPR compliance audits will also help you discover risk profiles or flaws in your programs. You can then use reports from past audits to show the regulators the reasonable steps that you took to patch the risks just in case these issues are put under scrutiny, or any violations occur.

While regular GDPR compliance audits are crucial, many organizations still struggle to comply with these regulations. According to a recent GDPR.eu report, around 86 percent of businesses were either fully compliant or mostly compliant.

Only 44 percent were sure that they were fully transparent when it came to sharing with their data subjects how they collect and process their data. Another 44 percent were not sure whether they usually obtained consent from their data subjects or used lawful approaches when it came to gathering or processing these data.

Here are a few questions to guide you when auditing your business for GDPR compliance.

1. What are the Rights of Your Data Subjects?

You must be informed about the rights of your data subjects. According to GDPR, your data subjects have the right;

• To be informed.
• To object.
• To data movement.
• To data rectification.
• To data erasure.
• To put restrictions on how you process their data.
• To be allowed access and others.

2. What Types of Personal Data Do You Collect?

To have more precise information on the types of personal data that you collect, you must understand first the types of data that qualify to be classified as personal data according to GDPR. The GDPR classifies personal data in two categories. 

The first category is the ‘basic information’ that can help in individual identification and includes;

• The subject names.
• IP addresses.
• Social Security Numbers (SSN).
• Physical Addresses.
• Phone numbers.
• ID Numbers.
• Email Addresses.
• Cookies.

The second category is classified as ‘Special information’, and it pertains to;

• Religious inclinations.
• Political opinions.
• Ethnic or racial origins.
• Gender or Sexual Identity.
• Health information.
• Union activity.

3. How Do You Collect these Pieces of Data?

Write down your sources for the subject data you collect. It would be best if you documented whether you collected the data from third parties or directly from the data subjects.

You should be able to differentiate the methods you use to gather these data and be able also to show proof that you had the consent of the data subjects before collecting or processing their data. Finally, be sure to note down whether you made your data subjects aware of your data policy.

4. Why Do You Hold This Data?

Document your purposes for collecting and the data you collect. For instance, you may indicate that you collect and store the information for service maintenance purposes, product development or improvement, and system maintenance, among others.

It would help if you also considered why you need the data in the first place and document it too. Write down whether you need it (currently) and for what purpose. You should also be able to show proof of the exact purpose for gathering these pieces of data and the lawful basis for using them.

5. How Long Do You Retain these Pieces of Information?

The GDPR policies also require that you indicate the timeframe that you store the pieces of information you collect and show the legal basis for retaining the data. However, there isn’t a clear definition of how long you should keep your subjects’ data. 

Ideally, the GDPR obligations require that you immediately dispose of the confidential pieces of information you hold after they’ve served the purpose you collected them for. Because of this, individual businesses must decide what’s relevant or essential for them, considering that organizations have varied needs and one rule won’t be fair to all logically.

In considering how long you store the information, therefore, you should use these aspects to guide you;

• The privacy implications and possible costs of storing the data for extended periods.
• The simplicity in keeping it accurate and up to date.
• The current and future value of the data.

6. How Do You Keep These Pieces of Data or what are Our Data Protection Policies?

You should be able to document the times you gathered the information, how you collected them and most importantly, how you store it. You should have robust policies in place to safeguard the data and access to it. Finally, it should be easily accessible and secure in terms of encryption technologies you’ve used on it.

7. Who is the Data Protection Officer (DPO)

Who is the person who handles the data? Is it necessary to have a DPO and have your organization positioned this role appropriately? Check to ascertain if your DPO can deliver against the requirements laid down by the EU GDPR.

8. Process Analysis. What to be Done to Ensure that Your Data Gathering and Processing is GDPR Compliant

All processes that involve the processing of personal data should be guided by robust processing principles to ensure that they’re GDPR compliant. You should check to see if there could be any processes where Data Protection Impact Assessment (DPIA) is a must. Be sure also to identify other methods that the DPIA can be necessary when it comes to establishing the data protection guidelines by default and design.

Over to You

On the baseline, it’s possible to imagine that it is not easy to perform regular data audits. Theoretically, performing a data audit isn’t tricky, but it can be a tedious process if you’re doing it for a large organization.

If you don’t understand certain things, it would be better having an auditor do all these audits for you. Before that, however, you should know what’s looked into. We hope this guide help you understand the core aspects that are looked into during EU GDPR audits for businesses.

About the Author:  Jordan MacAvoy is the Vice President of Marketing at Reciprocity Labs and manages the company’s go-to-market strategy and execution. Prior to joining Reciprocity, Mr. MacAvoy served in executive roles at Fundbox, a Forbes Next Billion Dollar Company, and Intuit, via their acquisition of the SaaS marketing and communications solution, Demandforce.