For many organizations, the preparation of the general EU Data Protection Regulation (GDPR) has been a time-consuming undertaking. Unfortunately the work has not been done yet. Now that GDPR is in force, companies will have to perform regular internal audits to assess their compliance levels. The ability to document these audits is vital in the event of a violation or complaint, as demonstrating that a sincere attempt has been made can help prevent a major penalty.
"Audits are very important because accountability is one of the AVG principles, and organizations are expected to monitor their privacy and compliance programs as part of compliance," said Greg Sparrow, senior vice president and general manager for risk management advice. firm CompliancePoint.
"In addition, audits will ensure that organizations can cope with problems or errors in their programs and thus prove to the regulators a due diligence if violations occur or if they are at stake," says Sparrow. "Compliance is not a program to" argue and forget ". Companies are expected to comply with the regulation and to monitor regularly to ensure that they remain compliant."
Why should you perform a GDPR audit?
Many organizations affected by the GDPR are not yet satisfactory. Small companies in particular struggle to comply. A report issued by GDPR.eu in May shows a lack of agreement with the perception of European small business leaders that they are GDPR compliant and their actual level of compliance with key requirements.
About 86{e53874e4bbd58509048fd82fc905992bcdbedb43a73f551bb715cf467ce5a7fb} of the 720 respondents indicated that they were fully or largely compliant. However, only 44{e53874e4bbd58509048fd82fc905992bcdbedb43a73f551bb715cf467ce5a7fb} were confident that they clearly communicated their data processing activities to data subjects, and 44{e53874e4bbd58509048fd82fc905992bcdbedb43a73f551bb715cf467ce5a7fb} were not convinced that they had always been authorized to collect or set up a lawfund basis to use personal data. These are essential GDPR requirements.
Also in May, the European Data Protection Board (EDPB) reported that it had received around 65,000 reports of data breaches under GDPR and issued a fine of $ 63 million. In the same report it was also noted that the number of reports burdened the resources of regulators. Although audits are not mentioned in the report, it is logical that organizations that report an infringement that have not checked compliance with the GDPR receive more attention than an organization that did.
It is important to conduct GDPR audits "to determine whether there are processes to address the required tasks, including the right to be forgotten and data portability, and that data protection officers (DPOs) and staff know what to do in the event of a violation, "adds Gary Southwell, general manager of the Cyber Security Division of CSPi, security technology company.
"Fully auditing processes through an audit provides measures that can be used for process improvement," says Southwell. "But it also provides an important compliance element – demonstrating that your company has such processes in place and running – before problems occur as required by law. In particular, it can also improve overall readiness for investigations, which all companies should do so to minimize their risk of data loss. "
GDPR audits are likely to involve people outside of security, such as data management, IT, legal and human resources. It is clear that the focus is mainly on cyber security programs & # 39; s. These are the most important steps of a GDPR audit, according to industry experts.
1. Create a GDPR audit plan
The first step is to have a detailed plan and set of written, executable, and assignable processes that meet legal requirements step by step, Southwell says. "For those new to making such plans, ISO (International Standards Organization) provides templates for their processes, "says Southwell." Although not specific to GDPR requirements, (ISO) provides a template for creating good, usable plans that specify who does what, how and when. "
As part of this first phase, companies must assess which EU resident data they are collecting, where they are stored and how and where they are processed. "The audit must ensure that such data is correctly identified," says Southwell. "Compliance actions can be specified after identification."
For example, who likes a change in the keeping of such data for the purpose of deleting or transferring such data at the request of an EU resident? "How do you ensure that such a request is legitimate?" Southwell says. "How do you ensure that the data is processed correctly?" If data must be deleted, it must be ensured that all storage sites including data backups are correctly updated and processed. "
The plan must include a way to identify which data of the EU resident has been revealed and whether such records are protected by encryption. "If so, the notification steps are dramatically different," Southwell says. "The audit must show how each case is handled. Best practices also offer a full forensic audit process to answer questions and prove compliance."
When compiling an GDPR audit plan, you must bear in mind that companies must be aware of the data that they keep during their lifecycle. "Unfortunately, GRPR is a vague regulation that asks us many open questions, which increases the complexity of compliance," says Fouad Khalil, Head of Compliance at Security Services Provider SecurityScorecard, Inc. "With that said, it is my recommendation that organizations implement an audit plan around the life cycle of personal data." That includes classifying personal data and managing data risk, security and supply chain.
2. Search for GDPR compliance gaps and report the findings
Check your current compliance program under the GDPR. This includes data about processing, the data access process of the data subject, technical and security measures, privacy principles and data transfer mechanisms, Sparrow says.
"The GDPR affects the majority of departments within an organization," says Sparrow. "The audit discovery phase will consist of interviews and documentation / policy evaluation with each department that processes personal data or is responsible for the control, operations or technical controls of personal data."
This determines the ability of the organization to adapt to the GDPR rules. Discovery sessions must include the effectiveness of the organization in meeting requirements, Sparrow says, including:
- Requests for access to a topic
- Privacy Principles
- Technical and security measures
- DPO applicability
- Data transfers outside the EU to countries without a decision on adequacy
- Processor overview and contracts
- Response to data breach and notification to supervisory authority and data subjects
- Evaluation methodology for privacy effects
- Demonstration of data protection by design and standard
- Continuous monitoring of the compliance program
Once the discovery phase is complete, auditors must describe the current process and any areas that are not aligned properly. This means that a report is made that shows the ability of the organization to adapt to the GDPR rules.
The report can be comprehensive, with exhaustive findings and recommendations on changes that need to be made, Sparrow says. Or it can be as simple as an "aligned" or "non-aligned" assessment, with the proviso that everything under the "not aligned" category needs to be corrected.
3. Giving priority to and remedying gaps in GDPR compliance
The audit team must then give priority to areas that do not conform, based on the risk level of the specific areas. "Take a risk-based approach when working on remediation," says Sparrow. "For example, at conferences, supervisors have noted that their focus will be on infringements and the ability of an organization to facilitate legitimate requests for access to a topic. If your business is missing in this area, we recommend remedying it quickly."
Factors to be taken into account when determining risks & # 39; s are probability of occurrence, degree of deviation in regulations and business impact if an infringement is committed. Start with the areas with the highest risk & # 39; s and start remedying GDPR compliance gaps found in the discovery phase.
Given the wide scope of the regulation and the different requirements, it is unlikely that gaps will be remediated by one person or team, Sparrow says. "Give tasks to the right owners who are responsible for remediation and realistic deadlines," he says.
It is vital to understand that some recovery items take longer than others. For example, technical fixes and updates may require a rescheduling of the budget and staff increases, or the rights of those involved may require training development for those team members who are responsible for the front-end handling of end-user requests.
4. Test the remediation efforts
Now that the audit team has invested the time and resources in finding and resolving compliance deficiencies, it is vital to ensure that the organization's processes and systems meet GDPR requirements.
Test and recheck the controls that the organization has implemented to ensure that gaps are closed and any issues solved. "Now that the gaps have been closed, an audit has been carried out to ensure that the requirements are met," says Sparrow.
Remember that this is a continuous process. "Perform regular audits to ensure that the privacy and compliance program works as expected," says Sparrow. "Conducting ongoing audits and tests of the compliance and privacy framework to ensure that everything is in order. Accountability is a principle among the GPR and organizations must implement an ongoing monitoring and enforcement program to ensure the effectiveness of the privacy program. meet the requirements of the GDPR test.
Elements of GDPR and data privacy "should be included in regular risk analyzes," says Mischa Danaceau, CSO at managed security services provider InteliSecure.
"There are aspects of the law that may not apply to all companies, including the appointment of a DPO or the keeping of data on processing activities," says Danaceau. "To this end, the audit itself can help companies better understand the requirements."
Bonus benefits from GDPR self-audits
Performing a GDPR audit takes time, money and other resources. However, the return on that investment can be greater than simply reducing the risk of a fine. "The positive aspects of doing a self-check well outweigh the costs and efforts required to perform the audit," said John Timmerman, global industry evangelist at Teradata.
For example, Timmerman sees self-control as a way to demonstrate the representation of customers' interests. "Every marketing organization influenced by GDPR must be at the forefront of how well they protect their customers and argue on their behalf. It is surprising how many organizations see GDPR as a dictation rather than an opportunity," he says. "Market leaders will be candid and candid about everything they do to be loyal customer information managers and they will lead by showing their customers specifically how and why that information is used to provide better offers and better service."
