Why conduct a data audit?
The primary reason to conduct a data protection audit is to discover if your business is currently abiding by GDPR laws. An important first step towards GDPR compliance is for a business to determine what data they hold and where.
A data audit will establish:
- What personal data you are collecting
- The reason you are collecting that personal data
- How that data is being stored and processed
- Whether (or not) you are processing that data lawfully
Conducting a thorough data audit will provide your business with the information it needs to identify weaknesses (the gaps!) in your GDPR processes – areas that need to be changed or practices which may not be necessary.
Does my business need a GDPR audit?
If your business intends to comply with the GDPR, then carrying out a comprehensive privacy audit is the first step. A data audit is the best way for a business to establish its compliance with GDPR laws.
Seven Data Protection Principles are outlined:
- Lawfulness, Transparency, and Fairness
- Purpose Limitation
- Data Minimisation
- Accuracy
- Storage Limitation
- Integrity and Confidentiality
- Accountability
You must obtain and use personal data in a fair and lawful manner.
Personal data must be stored no longer than is necessary.
Data must be collected for a specified purpose and held only long enough to achieve that purpose.
The data you hold must be accurate and you have an obligation to update or remove data that is inaccurate.
The data you hold must be protected against unlawful usage or accidental loss.
Appropriate methods must be used to securely maintain the data that you hold.
A professional data audit will determine if you are doing everything correctly and lawfully.
What penalties do I risk by not being GDPR-compliant?
Not complying with GDPR data protection laws can have serious regulatory consequences including notices of enforcement, fines and an order to stop processing – devastating if your business relies on the activity to operate.
Must small businesses comply with GDPR?
If your business processes personal data then you will need to be fully compliant with GDPR, regardless of your size.
Post Brexit GDPR – must I still comply?
UK businesses must still comply with GDPR laws even after leaving the EU.
Existing data protection legislation has been merged with new regulations to create a new ‘UK GDPR’ framework. The best thing for any business to do is to follow good practices to protect its individual data subjects, as well as itself.
Is a data audit a legal requirement?
No, the GDPR does not legally require a business to complete a data audit. An audit, however, is the only way of knowing if your business is compliant and if not, where the gaps are so they can be promptly and efficiently corrected.
You must have lawful reasons for obtaining and storing personal data, and you must do so in an appropriate legal manner. An audit will help you assess and strengthen your GDPR processes (and thus avoid potential penalties or other regulatory action for non-compliance).
Is a data audit difficult?
Be assured, that our Privacy Team has many years of experience in conducting GDPR audits – it is a well-rehearsed process for us and we know what we are looking for.
Our auditor will ask several questions to obtain information necessary for the work, including, but not limited to:
- What personal data does your company collect and store?
- How is the data collected?
- Why do you need to possess this data?
- How is the data stored?
- How is it secured?
- How long is it kept?
- How is the data used?
- Who is the data shared with?
What data is protected by GDPR?
The GDPR applies to personal data and special category data. Personal data is information that relates to a person (a data subject) – not a company or organisation.
Some examples include:
Personal data:
- Name
- Address
- Email address
- Phone number
- Date of birth
- Employment details
- Bank details
Special category data:
- Sexual orientation
- Religious beliefs
- Political views
- Biometric data
- Health / medical data
Why should I use a professional GDPR data auditor?
Putting your GDPR audit into the hands of a qualified expert will ensure that a thorough and professional job will be done. An expert will perform an independent assessment of your business regarding your data protection needs.
- We guarantee minimum disruption to your business.
- We will work with you and your staff to suit your schedule.
- We can offer a FIXED price for the audit.
- We will take your risk appetite into consideration when drafting your report.
- Our GDPR consultants will tailor your GDPR strategy to create a personalised plan of action.
- Staff training is critical to ensure costly errors are avoided – we have a dedicated online portal that can instantly address this.
We offer a service that is cost-effective and time-efficient.
We will ensure your business achieves the necessary level of GDPR compliance and is able to easily maintain that legal status going forward.
Our independent assessment means that your business will be assessed in the same way that a regulatory body would conduct a review. Our experts know exactly what is needed to establish and maintain your GDPR compliance – and what is deemed “proportionate” for a business of your size.
An external GDPR audit demonstrates that you have taken steps to ensure that your business is compliant. It shows that you take your GDPR obligations seriously.
Why an Audit?
The objective of a data audit is to assess your business to check if it is GDPR compliant. This will include looking at how data flows through your business and identifying potential flaws in your system that could lead to a data breach.
Ensuring you are protecting data sufficiently is important, as is documenting your data flow so you can demonstrate your compliance.
What happens if my organisation has a data breach?
A data breach is broadly defined under the GDPR and a breach could include loss or destruction of personal data, data that has been unlawfully altered, personal data that has been disclosed deliberately or accidentally. This could include leaving a laptop unsecured in a public area with inadequate IT security protocols which allow unauthorised access to personal data.
If you become aware of a data breach, then you must take immediate action to contain the breach as well as take appropriate steps to remedy the situation.
Will I need to contact the ICO?
The Information Commissioners Office (ICO) should be notified if a breach has occurred that is likely to result in a potential risk to the rights of the individual/s whose data has been breached. Businesses should assess what types of breaches they may face as well as the potential risks to individuals (financial loss, discrimination, etc) those breaches could entail.
You would be required to provide the ICO with information including:
The type of breach, how it occurred and how many people are likely to be affected
- What the potential consequences are due to the breach
- What actions you are taking to remedy the problem
- The contact details of your Data Protection Officer
How can I arrange a professional GDPR audit?
Get in touch and let us know your GDPR needs.
We will need to discuss your current procedures and ask questions about how you handle data and why. We will need to speak to members of your organisation who are involved in data collection. We will be able to discuss costs, work schedules and length of time necessary to complete the audit.
What happens after the audit is complete?
Once your GDPR audit has been completed, depending on your package, we will help you to create a Remediation Plan to ensure compliance is achieved over a manageable period of time.
You may need to change your procedures, ensure your data is more secure, and appoint a Data Protection Officer. You will then be secure in the knowledge that your business is GDPR compliant and you are able to demonstrate that with appropriate documentation.
What to do next:
- Please contact us now and let us remove the stress of managing data compliance in your business.
- We handle the complete scope of any data privacy requirement.
- You can find out in a matter of hours where your gaps are…