To meet the requirements of the GDPR being introduced back in 2018, many organisations turned to world-wide-web for their general guidance and generic templates.
Four years on, a large number of organisations are still using these generic templates such as Privacy Notices on websites.
Privacy Notices are the window in to the organisation’s data protection process, but so often when an audit is conducted, it is found that these do not reflect how data is gathered, processed, stored, or shared and is often replicated in the disjointed implementation of the organisation’s data protection policies.
It is good to bare in mind that if an organisation were to have a breach or even a complaint that caused an ICO audit, would your documents and staff implementation actually reflect the GDPR Regulation.
An independent audit will compare the current practice of the organisation with the data protection regulations, the DPA 2018 and GDPR and associated regulations such as PECR and will identify any gaps in the organisation’s compliance with the data protection regulations.
A small example of what activities will be undertaken are:
Walkthrough of data subject interaction with the organisation (how, what are they told, where and why data is processed and stored)
Internal movement of data (why the processing and where is data stored, retention)
External movement of data (why is it sent externally, what assurances of Data protection are undertaken)
Audit Data Protection Procedures.
From this, we should be able to generate the data asset register (if one does not exist).
Organisation structure and risk profile.
Any relevant accreditations.
Any internal audits and reviews
Data classification systems
Any DPIAs, Legitimate balance tests, etc
Full review of PECR Regulation
Full review of how data is collected from the site
Maybe, it’s time for an independent audit that produces a roadmap that aids your organisation on its data protection compliance journey