Does any phrase inspire fear into the heart of an organisation quite like ‘we are due an audit’?
Despite their reputation, audits don’t have to be scary, cumbersome or something you put off until the very last minute.
Audits are tools which allow you to assess your level of compliance and identify any areas which may benefit from improvement.
They are also a great way to investigate if your organisation’s current operational abilities are fit for purpose. If we replace the word Audit with ‘review’ or ‘investigation’ the process becomes decidedly less daunting. That being said, it is important to remember that failure to perform an audit can result in financial and operational penalties for your organisation, so don’t relax too much!
When the General Data Protection Regulations (GDPR) came into effect on the 25th of May 2018, many organisations scrambled to ensure their compliance with GDPR. In our experience, we have found that most organisations have found themselves in one of two scenarios; either they started their journey of improvement in 2018 but haven’t reached an acceptable level of compliance yet, or they completed an Audit in 2018 but haven’t done another one since to assess how the changes made, in response to GDPR, have affected the organisation. There have been several changes since the 25th of May 2018 including the outcomes of Brexit that resulted in UK GDPR coming into effect on the 31st of January 2021.
If you’d like to find out more about the differences between UK GDPR/EU GDPR/Data Protection Act 2018 (DPA 2018) keep an eye out for a future blog post.
Recently the Information Commissioner’s Office, under the leadership of John Edwards, have revealed intent to crack down on organisations that are in breach of data protection legislation including Privacy and Electronic Communications Regulations (PECR), UK GDPR and DPA 2018. While most of the financial penalties have been issued for predatory marketing calls, the ICO has also issued enforcement notices regarding breaches of UK GDPR/DPA2018. These recent developments highlight the need to do a regular data protection audit to ensure your organisation is compliant with the existing data protection legislation.
It is also a legal requirement to demonstrate compliance with the existing data protection legislation. Therefore, a yearly audit is a great way to demonstrate that your organisation is compliant and that data protection is a priority to its operations.
A typical data protection audit covers the following areas:
- Governance and accountability
- Training and awareness
- Records management
- Security of personal data
- Subject Access Requests and Individuals’ Rights
- Data Sharing
- Information Risk Assessment (DPIA) and Management
- Direct Marketing
- Freedom of Information (FOI)(where applicable)
Within each of these areas, questions are asked about the processes, capabilities, policies, and systems that your organisation has in place to support compliance in each area. The aim of the audit is to fully encompass all areas within an organisation and identify gaps. If there are any gaps, an audit will also show your organisation how you can remediate them.
The benefits of an audit include but are not limited to the following:
- Helping to raise awareness of data protection within your organisation.
- Sharing best practices, providing risk analysis and remediation for continual improvement.
- The resulting reports/assessment can be used to build a business case for your organisation’s senior leadership team/board to get additional funding for data protection projects or to demonstrate your organisation’s commitment to the importance of data protection and individuals’ rights.
- Regular audits can help prevent any potential issues resulting in financial or regulatory penalties.
- Improving your organisation’s efficiency and efficacy in managing your employees, customers, and any data that you are responsible for.
Audits also help to improve data protection cultures within organisations, which have the added benefit of improving response times to any data subject requests e.g., a Subject Access Request (SAR) or to data breaches.
Utilisation of an external consultant ensures that your organisation benefits from the involvement of objective industry experts, not to mention a fresh pair of eyes to conduct an independent assessment.
Audits can be completed offsite to have minimal disruption to your organisation and its everyday operations. DPAS provides a tool to our audit clients which can be used on a monthly basis to reassess your organisation’s compliance score and demonstrate compliance. For more information on how DPAS can help you, click here for more information; https://dpas.gsl.media/dpas-compliance/audit/.
Did you know that data protection laws now require anyone with a CCTV system – even if it’s just one camera – to comply and use their systems within the new rules set out in data protection laws? Therefore, it is also a legal requirement to do a CCTV audit.
If you require additional support with a data protection audit or demonstrating compliance you can contact us at firstname.lastname@example.org or by calling our office at 0203 301 3384.