Search

Why an Independent Audit

To meet the requirements of the GDPR being introduced back in 2018, many organisations turned to world-wide-web for their general guidance and generic templates.


Four years on, a large number of organisations are still using these generic templates such as Privacy Notices on websites.


Privacy Notices are the window in to the organisation’s data protection process, but so often when an audit is conducted, it is found that these do not reflect how data is gathered, processed, stored, or shared and is often replicated in the disjointed implementation of the organisation’s data protection policies.


It is good to bare in mind that if an organisation were to have a breach or even a complaint that caused an ICO audit, would your documents and staff implementation actually reflect the GDPR Regulation.


An independent audit will compare the current practice of the organisation with the data protection regulations, the DPA 2018 and GDPR and associated regulations such as PECR and will identify any gaps in the organisation’s compliance with the data protection regulations.


A small example of what activities will be undertaken are:


Process mapping.

  • Walkthrough of data subject interaction with the organisation (how, what are they told, where and why data is processed and stored)

  • Internal movement of data (why the processing and where is data stored, retention)

  • External movement of data (why is it sent externally, what assurances of Data protection are undertaken)

Audit Data Protection Procedures.

  • From this, we should be able to generate the data asset register (if one does not exist).

  • Organisation structure and risk profile.

  • Any relevant accreditations.

  • Any internal audits and reviews

  • Data classification systems

  • Any DPIAs, Legitimate balance tests, etc


Website

  • Full review of PECR Regulation

  • Full review of how data is collected from the site



Maybe, it’s time for an independent audit that produces a roadmap that aids your organisation on its data protection compliance journey

3 views0 comments