Data protection audit
The GDPR (General Data Protection Regulation) and DPA (Data Protection Act) 2018 have introduced many new obligations for UK organisations that process personal data. Compliance is critical to avoiding the Regulation’s penalties.
A data protection audit will determine whether your controls, policies and procedures meet the requirements of the GDPR and DPA 2018 and, if not, where they need to be improved.
Learn more about meeting your GDPR obligations
GDPR audit checklist
A GDPR audit should cover the following ten areas:
Under the Regulation, personal data must be processed according to six principles:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality
These are underpinned by the principle of accountability. If you are a data controller, you must keep certain records in order to demonstrate your compliance.
An audit should consider the extent to which data protection accountability, responsibility, policies and procedures, performance measurement controls and reporting mechanisms are in place and operating throughout your organisation.
2. Risk management
The GDPR mandates that organisations take a risk-based approach to implementing ‘appropriate technical and organisational measures’. This includes conducting DPIAs (data protection impact assessments) – a type of risk assessment that identifies the risks to and likely effects of processing on the security of personal data – in certain circumstances.
An audit should examine whether privacy risk is included in your corporate risk register, what corporate arrangements for privacy risk management are in place, to what extent the corporate risk regime incorporates information-specific risks, and which risks to the rights and freedoms of natural persons are addressed.
3. GDPR project
Without board-level support, your compliance project is much more likely to run into difficulties. Complying with the GDPR requires effort across the whole organisation, and must be led from the very top.
An audit should examine the extent to which an appropriately staffed, funded and supported GDPR project is both in place and capable of delivering realistic objectives.
4. DPO (data protection officer)
The GDPR requires the appointment of a DPO:
- Where processing is carried out by a public authority or body;
- Where the organisation’s core activities require regular and systematic monitoring of data subjects on a large scale; or
- Where core activities involve large-scale processing of sensitive personal data or data relating to criminal convictions or offences.
In many cases, it is desirable to appoint one irrespective of the legal requirement to do so, although the DPO has the same legal status whether the appointment is voluntary or mandatory.
An audit should determine whether a DPO is mandatory and has been appointed. If there is a DPO, the audit should also examine whether the role is positioned appropriately and the individual is capable of delivering against the GDPR’s requirements.
Find out more about DPOs
5. Roles and responsibilities
An audit should examine the extent to which roles and responsibilities are defined and established throughout the organisation, and consider the training and awareness measures that are in place – and records of their deployment and effectiveness – as well as the onboarding and offboarding processes.
6. Scope of compliance
It is essential that your scope of compliance is clearly defined.
It should take account of all the data processing in which your organisation has a role, whether as a data controller or as a data processor, as well as any data-sharing activity. In order to determine the scope of compliance, you should identify all the databases that hold personal data, all processing activities and all extraterritorial/cross-border processing.
An audit should examine these activities.
7. Process analysis
Article 30 requires controllers to maintain records of all processing activities under their responsibility.
An audit should examine these records to determine the extent to which each of the data processing principles is established for each process that involves personal data, taking account of the lawful bases for processing, any processes for which a DPIA is mandatory, and for which processes a DPIA might help establish data protection by design and by default.
8. PIMS (personal information management system)
There is a wide range of documentation that is necessary to demonstrate compliance with the GDPR, such as a data protection policy, a data breach notification procedure, subject access request forms and procedures, DPIAs and consent forms. The scale of the documentation should be appropriate to the size and complexity of your organisation.
A PIMS will order that documentation appropriately, and should also address staff awareness training. BS 10012:2017 is the British standard that specifies the requirements for a PIMS, and is aligned with the requirements of the GDPR.
Find out more about BS 10012
9. ISMS (information security management system)
Are appropriate technical and organisational measures in place to ensure the adequate security of personal data held in hard copy or electronic form, or processed through your systems? This should include a review of methodologies for testing security, and established cyber security certifications, standards and codes of practice.
The international standard ISO 27001:2013 sets out the requirements of an ISMS, against which organisations can achieve independently audited certification to demonstrate their compliance.
Find out more about implementing an ISO 27001-compliance ISMS
10. Rights of data subjects
Under the GDPR, data subjects have the following rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision-making and profiling
To what extent have you implemented processes that enable you to both facilitate and respond to data subjects exercising any or all of these rights?