The EU General Data Protection Regulation (GDPR) has imposed many new obligations on organisations that process EU residents’ personal data. An audit will assess whether your organisation is meeting these obligations.
However, before an external auditor assesses the measures you’ve taken to comply with the Regulation, it’s worth conducting an internal audit to review whether your controls, policies and procedures are adequate, and, if not, where they need to be improved.
Here are ten essential areas of the GDPR that you will need to consider.
1. Data protection governance
To what extent are data protection accountability, responsibility, policies and procedures, performance measurement controls, and reporting mechanisms to monitor compliance in place and operating throughout your organisation?
2. Risk management
Is privacy risk included in your corporate risk register? What corporate arrangements are in place for privacy risk management across your organisation? To what extent does the corporate risk regime incorporate information-specific risks? Which risks to the rights and freedoms of natural persons are addressed?
3. GDPR project
To what extent is an appropriately staffed, funded and supported GDPR project in place and capable of delivering realistic objectives?
4. Data protection officer (DPO)
Is a DPO mandatory, has one been appointed, is the role positioned appropriately and is the individual capable of delivering against the GDPR’s requirements?
5. Roles and responsibilities
To what extent are the roles and responsibilities defined and established throughout your organisation, including necessary training and awareness?
6. Scope of compliance
It is essential that the scope of compliance is clearly defined, taking account of all the data processing in which your organisation has a role, whether as a data controller or as a data processor, as well as any data-sharing activity. In order to determine the scope of compliance, you also need to identify all the databases that hold personal data, as well as all extraterritorial/cross-border processing.
7. Process analysis
It is essential to identify, for each process that involves personal data, the extent to which each of the data processing principles are established. The lawful basis for processing is a key area of consideration. Are there any processes for which a data protection impact assessment (DPIA) is mandatory, and for which processes might a DPIA help establish data protection by design and by default?
8. Personal information management system (PIMS)
There is a wide range of documentation required to ensure that your organisation is able to effect and to demonstrate compliance with the GDPR, such as a data protection policy, a data breach notification procedure, subject access request forms and procedures, DPIAs and consent forms. The scale of the documentation should be appropriate to the size and complexity of your organisation. The PIMS should also address staff training and awareness.
9. Information security management system (ISMS)
Are appropriate technical and organisational measures in place to ensure that there is adequate security of personal data held in hard copy or electronic form, or processed through your organisation’s systems? This should include a review of methodologies for testing security, and established cyber security certifications, standards and codes of practice.
10. Rights of data subjects
Your organisation will need processes that will enable it to both facilitate and respond to data subjects exercising any or all of their rights, including the right to access.
Maintaining appropriate documentation
Documentation is a large part of GDPR compliance. Data controllers and, where applicable, their representatives will be required to keep the following records:
- The name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the DPO.
- The purposes of the processing.
- A description of the categories of data subjects and of the categories of personal data.
- The categories of recipients to whom the personal data has been or will be disclosed.
- Where applicable, international transfers of personal data and the documentation of appropriate safeguards.
- Where possible, the envisaged time limits for erasure of the different categories of data.
- Where possible, a general description of the technical and organisational security measures implemented.
Note that these record-keeping obligations do not apply to organisations that employ fewer than 250 people unless:
- The processing is likely to result in a risk to the rights and freedoms of data subjects;
- The processing is not occasional; or
- The processing includes special categories of data or data relating to criminal convictions and offences.
However, even if you have fewer than 250 employees, record-keeping is an essential part of facilitating data subjects’ rights, so you will need to do it even if you are not technically obliged to.
We also advise keeping records of lawful bases for processing and data processor agreements.