An GDPR audit should focus on legal and organisational issues as well as on the IT-related area. In this article, we focus on the organisational and legal audit. But let’s start at the beginning. It has been more than five years since the EU General Data Protection Regulation – commonly referred to as GDPR – came into force. During this time, we are already richer in experience, which was missing at the very beginning of this legislation. One can even speak of the panic that took place a few months before GDPR came into force and the terror of penalties. After several years, we already know that sanctions in the form of fines are imposed by the President of the Office for Personal Data Protection as a last resort. The scare has therefore proved to be unjustified. Especially since many of these fines are subsequently overturned by the Polish administrative courts!
However, this does not mean that the protection of personal data in companies can be approached in a low-key manner. Quite the contrary. Practice from implementations, audits and court rulings already shows us what we should take seriously and what is less important. What needs to be approached rigorously and which areas can be approached more liberally. A good example is the so-called “compliance”, which we have been dealing with for several months after the new regulations came into force. No matter how we process data, it has always been recommended to obtain consent, which has nothing to do with the content of the GDPR.
Data protection is more important today than ever before. And it will become more important every year. This is due to the widespread digitalisation of businesses, the entrance into widespread use of technologies based on data processing (e.g. artificial intelligence, big data solutions, etc.) and the widespread use of electronic devices.
What is a GDPR audit?
An GDPR compliance audit is an examination to determine whether and to what extent the mechanisms required by the regulation have been implemented in an organisation. It allows you to answer the question of what resources an organisation has in place for:
- the collecting of personal data;
- storage of personal data;
- processing of personal data.
A properly performed GDPR audit should also answer the question of what personal data and how it is processed in the company, including sensitive data.
GDPR audit – when should it be conducted?
It is recommended that an audit is carried out even before a personal data processing policy is developed, as it provides a starting point for possible improvements. The GDPR audit should be carried out by a team consisting of lawyers qualified in the practical application of the regulation and should cover all processes in which personal data appears. A comprehensive audit should include both documentation, analysis of databases and interviews with employees.
Conducting an audit always results in a comprehensive report, which includes a summary of the audit findings and recommendations for change, taking into account the specifics of the business and its scale.
It should be noted that – although the provisions of the GDPR do not mandate regular audits, they imply the necessity to periodically analyse the compliance of the infrastructure with data protection regulations. This follows both from the content of the regulation itself and the guiding recitals to it.
However, it is not clear from the current regulations how the model audit should look like, and controllers of personal data have full freedom in this regard, which is only limited by the principle of accountability. It assumes that the controller must be able to prove the correctness of the choice of measures aimed at ensuring compliance of data processing.
The ability to comply with the accountability principle is of particular importance when the entity implementing the GDPR is audited by a supervisory authority. The GDPR audit is designed to answer the question of whether the company is applying the various mechanisms and principles provided for in the regulation, such as qualified profiling, transfer of data to entities established in a third country, or the principle of data processing minimalism.
The duration of the audit depends primarily on the scale and complexity of the business being audited. For small companies that operate on the local market, it can be as little as a few days. For companies that operate internationally or those that transfer data to third countries using extensive entrustment agreements, the audit time is even several weeks.
The decision to carry out an audit needs to be well thought out, so it is recommended that this is decided in advance. It is not only the price of the audit that is crucial, but also finding an experienced audit team that understands the specifics of the business in question and can correlate it with the applicable regulations.
So when to conduct an GDPR compliance audit?
Conducting an GDPR audit should not be seen as an onerous and costly obligation, but as carrying out preventive and protective measures. It is also not a one-off initiative, but one that should be repeated regularly in order to have reliable and timely feedback. When should an organisation consider a test?
Starting a business
First and foremost, a GDPR compliance audit is recommended for companies that are just starting a business and are unsure to what extent they should equip themselves with personal data management mechanisms. In this case, the audit allows you to determine what type of data is subject to processing and storage and how to do so in a secure manner. Many entrepreneurs still do not realise that the GDPR does not provide ready answers in terms of data protection, but only indicates what objectives should be achieved.
Changes in the scope or manner of personal data processing
The second group of entities that should consider conducting an GDPR audit are entrepreneurs implementing new technological solutions (e.g. a new CRM or WMS system) or extending the profile of their business with activities largely related to data processing (e.g. marketing services, financial advisory services). There is no doubt that, at this stage, entrepreneurs already have mechanisms in place to apply the provisions of GDPR, but it should be determined whether they are still valid despite the implemented changes.
Transfers of personal data to third countries
The GDPR audit is also extremely important for companies that transfer personal data to third countries that are not on the list covered by the Community legislation. It should be noted that two groups of countries can be distinguished in this aspect:
- countries for which a decision of the European Commission has deemed that they guarantee an adequate level of personal data protection (e.g. Andorra, Argentina, Japan);
- countries for which there is no decision of the European Commission, so appropriate safeguards must be applied.
In each of these two cases, the audit should look slightly different and take into account different aspects of the application of the GDPR.
Risk of financial sanctions
The purpose of an GDPR audit is not only to align current mechanisms with the applicable requirements, but also (and perhaps above all) to avoid severe financial sanctions. It is worth noting that the legislation provides for both administrative liability of up to €20 million or 4% of worldwide annual turnover (the higher figure is decisive) and civil liability for the data controller and the entity that processes data on its behalf. By carrying out regular audits, the risk of breaches of data protection legislation and thus sanctions by the competent authority can be minimised.
A GDPR audit also strengthens the company’s position with its contractors, who are made aware that they are working with a partner that respects Community rules on the processing of personal data. In practice, this means increased security of business-critical information, such as customer databases.
Since the sphere of personal data protection and privacy is important in today’s economy, this topic should be properly addressed within your company. This is not only a legal requirement stemming from EU regulations in the form of GDPR, but also from society’s growing awareness of privacy protection. Companies that take care of this sphere not only gain ‘certainty’ in terms of legal risks, but also gain the trust of customers. However, in order to start taking care of this sphere, it is first necessary to establish the starting point where the company is. An audit before the implementation of GDPR procedures and documentation or after its implementation when you want to update your documentation serves this purpose.
Steps in an GDPR audit
A GDPR audit should focus on legal and organisational issues as well as on the IT-related area. In this article, we focus on the organisational and legal audit. The audit should consist of three stages.
GDPR audit – STAGE 1
The first is interviews with the people responsible for the various departments in the company. Most often, the auditors or lawyers conducting the audit interview people from management, sales, marketing, human resources (HR), legal and IT. The purpose of these discussions is primarily to understand the business context of personal data processing, the personal data processing processes, the documentation in place and to catch the various legal risks related to data protection.
GDPR audit – STAGE 2
The second stage is to examine the internal documentation and contracts held. This includes, but is not limited to, security policies, risk analyses, personal data processing entrustment agreements, further personal data processing entrustment agreements, employee contracts, processing activity registers, entrustment registers, category registers, privacy policies and content of information obligations.
GDPR audit – STAGE 3
The third stage is the preparation of a written report on the activities carried out in the two previous stages.
How to identify and describe data processing processes in an organisation?
The mapping of personal data processing processes is the identification of activities that are carried out in a company and are related to the processing of personal data. Such a “map” will then be used to create a register of processing activities, which in turn is a necessary tool to demonstrate that the personal data controller has complied with the principle of accountability. Although the provisions of the GDPR impose an obligation to keep a register of processing activities on companies employing 250 people or more, in practice it is usually recommended to create a register even for small, one-person businesses. This makes it much easier to control the circulation of data within the organisation.
Sometimes the doctrine uses the term inventory of data processing, i.e. obtaining comprehensive information about it in terms of:
- what types of personal data are processed and what categories of subjects they concern (e.g. employees, suppliers);
- what is the purpose and legal basis of personal data processing;
- whether personal data processed within the company is transferred to entities outside the organisation;
- how and for how long personal data is stored;
- what safeguards the company uses to protect access to personal data (this includes both physical, IT and organisational barriers);
- what assets that could potentially be used to process the data the company has at its disposal (e.g. IT systems).
In order to correctly identify all personal data processing, it is necessary to have a good understanding of how the information that enters the company is managed, as the most inconspicuous activity is of great importance. A data processing process will range from claiming a receivable, sending a letter of intent or simply handling a complaint made by a customer.
Identifying processes is not enough. The entrepreneur should take care to link them together in collections. This makes it possible to organise, prepare and systematise further activities included in the audit. In fact, it can be said that without the mapping of processes and the creation of data sets, the audit itself does not make much sense, as the actions taken will be of a random nature, unrelated to the actual situation of the company.
Once the individual data sets have been extracted, the individual processes carried out in the company should be assigned to them. In practice, several to a dozen groups are usually identified so that they can be managed efficiently. Examples of sets are e.g:
- customers – typical processes include establishing cooperation, handling complaints, informing about new products;
- employees – processes will include e.g. realisation of employee rights and obligations, use of non-wage benefits or use of image;
- contractors – in this case the processing of data may consist in establishing cooperation, handling contracts or accounting for financial operations.
It is worth paying attention that the mapping of processes is not too detailed, as in practice it will become impossible to manage them or will lead to decision-making paralysis. On the other hand, overly general premises will lead to processes getting out of control.
GDPR audit report
Every GDPR audit should conclude with a detailed report and post-audit recommendations. This is the only way in which the company receives valuable feedback on what is being done incorrectly in the organisation and how the process should be corrected. Following the recommendations reduces the risk of sanctions in the event of an audit by a supervisory authority, so the report should never be regarded merely as a summary. It is a valuable tool to improve the organisation’s operations, provided that the company implements the auditors’ guidance.
The GDPR compliance audit report should answer questions about the current state of data protection in the company, as well as suggest safe and comprehensive solutions for strengthening the ‘weak links’ in the system. The volume of a reliably conducted audit is usually several dozen pages.
It is important that the report answers questions regarding compliance with the GDPR in the following areas:
- analysis of the obligations fulfilled by the personal data administrator;
- analysis of the processes taking place in the organisation;
- analysis of safeguards.
The document should clearly define the scope and purpose of the audit, the criteria adopted and the methodology used. In this way, the company commissioning the audit can easily relate the results to its own situation. The key objective of the report is to identify all processes related to data protection compliance and summarise the collected information in a clear and transparent way. From the contracting authority’s point of view, recommendations, i.e. guidance on a specific identified problem, are the most important.
An example of a recommendation could be, for example, the recommendation to publish information on the organisation’s website about the appointment of a Data Protection Officer, together with his or her contact details, if this obligation has been omitted.
Post-audit recommendations should be prepared for each group of processes separately, taking into account their specificity and taking into account not only individual types of data processing, but also industry codes of conduct, if such regulations are in force for a given industry.
The security assessment includes technical, mechanical and organisational measures to secure access to personal data and possible recommendations for their modification.
To facilitate the assimilation of the recommendations, the GDPR reports usually introduce a gradation of the assessment of the different levels of investigation. An example of such gradation can be the assignment of one of the statuses to each of the audited elements, e.g:
- compliance – the audit team found no non-compliance in the area in question, and the process functions in accordance with the applicable regulations; sometimes an
- opportunity for improvement, i.e. a chance for further improvement, is also distinguished;
- potential non-compliance – although the process is compliant, the way it is implemented could easily lead to an incident;
- non-compliance – the process under examination is not compliant with the requirements specified in the regulations and requires immediate correction;
- not applicable or not examined – an element is excluded from the audit because it does not occur in the organisation in question (e.g. qualified profiling of personal data).
A post-audit report is usually a comprehensive document consisting of many elements. Below I provide you with an example of the structure of an GDPR audit report. Each of the following areas is examined in terms of whether it is implemented (for example, whether a procedure in the form of a document exists and is implemented) and whether it complies with the GDPR. In addition, a section with recommendations or so-called corrective actions is added.
Area related to data protection documentation:
- Internal documents held,
- personal data security policy,
- template of register of processing operations,
- template of register of data processing consents or other form of documentation of consents obtained,
- model of register of violations,
- template of the processing authorisation,
- conducting a data protection impact assessment,
- template consents,
- template for information obligation,
- whether the documentation provides for:
- the manner in which the rights of the data subjects are to be exercised,
- the procedure for obtaining consents for processing,
- the way in which employees handle personal data,
- the granting of authorisations to process,
- the maintenance of the register of authorisations,
- the way of concluding entrustment agreements,
- the way of keeping a register of processing operations,
- carrying out a data protection impact assessment,
- principle of data minimisation,
- data anonymisation,
- how to act in case of a personal data breach.
Area of data subjects’ rights:
- whether the company has a model information clause,
- whether the clause has been communicated to the data subject,
- whether requests to withdraw consent to the processing of personal data have been made,
- whether notifications have been included in the register,
- whether the company has a register of requests for the exercise of data subjects’ rights,
- whether requests for the exercise of data subjects’ rights have been made,
- whether notifications have been entered in the register,
- analysis of documented cases of notifications, if any.
Area of data transfer to third parties:
- Whether data is shared with other controllers,
- Whether data is transferred to processors (processors),
- Whether a register of entrustment agreements is kept,
- Whether the register is maintained on a continuous basis,
- whether the company has a template entrustment agreement
- Whether the entrustment agreement meets the requirements of the GDPR,
- whether the model entrustment agreement covers:
- the issue of authorization of processor’s employees to process personal data,
- the way in which the entrusting entity verifies the processor’s ability to provide guarantees for the implementation of appropriate security measures,
- an obligation for the processor to apply technical and organisational measures ensuring the security of the personal data it processes,
- an obligation for the processor to maintain a list of entrustment agreements (covering agreements entered into both by itself and by its sub-processors, if any),
- an obligation to keep a register of all categories of processing activities?
- an obligation for the processor to submit to inspections or audits in this area, as well as inspections or audits carried out by the controller or
- entity authorised by it,
- the procedure for informing the processor about incidents or breaches of protection of personal data entrusted to it for processing, as well as the obligation to take action in this respect,
- the obligation of the processor to comply (on behalf of the controller) with requests received by the controller from data subjects in exercising their rights,
- Has the verification of subjects been carried out prior to the conclusion of the contract?
- Has the verification of subjects been documented?
- Is the verification of subjects scheduled on a cyclical basis?
- Does the company have a model document to comply with the information obligation?
- Verification of information clauses to meet the requirements of GDPR
- Is the model information clause adapted separately to situations where data is obtained from the data subject and situations where data is obtained from other sources?
Area related to the implementation of internal documentation:
- Register of processing activities,
- Data security – whether physical, technical or organisational data protection measures are in place,
- Risk analysis.
Area related to persons responsible for data processing:
- Whether a Data Protection Officer (DPO) has been appointed,
- Whether there is a basis for appointing a DPO,
- Whether an analysis of the obligation to appoint a DPO has been carried out,
- Duties and competences of the DPO,
- Qualifications of the DPO,
- Independence of the DPO position within the organisation.
Area related to security measures:
- Entrance and access to plant and premises
- whether there is monitoring,
- whether there is access control,
- whether information obligations are fulfilled,
- whether data are collected in a redundant manner.
Implementing GDPR in a company – summary
Implementing GDPR in an organisation is a multi-stage and complex initiative. The larger the scale of the business and the more diverse the processes implemented within it, the more important it is to have regular compliance testing by independent specialists. Unfortunately, practice shows that independent attempts to apply the regulation usually fail to produce the expected results, creating an illusory belief of security in the entrepreneur. By using the assistance of an experienced audit team, the organisation receives real help, as its operation is assessed from the outside, which makes it possible to spot deficiencies invisible for employees or contractors.
As a rule, entrepreneurs dealing with the development of their business on a daily basis do not control the compliance of the correct implementation of the provisions of the GDPR regulation, as well as data processing processes, and once introduced, the scheme of conduct is sometimes maintained for years. In order to minimise the risk of an incident and potential legal sanctions, it is worthwhile to continuously improve once adopted algorithms to adapt the organisation to the changing economic, technological and business environment of the entity. An audit should be conducted periodically. Depending on the importance of a given process, it can be commissioned once every few years or even once a year.
A properly implemented GDPR procedure consists of:
- identification of the data processing processes and their combination into collections;
- evaluation of the register of processing activities, if introduced;
- preparation of an audit with post-audit recommendations.
Only by carrying out these steps together can a reliable assessment be made of the status of GDPR implementation in the organisation. It should be taken into account that following the audit guidelines effectively reduces the risk of an incident, but does not eliminate it entirely. It is incumbent on the entrepreneur or the designated person still responsible to control the situation in the company on an ongoing basis.
The GDPR implementation procedure requires careful preparation of tools by identifying data processing processes and their assessment through the prism of the guidelines. It is worth remembering that the EU regulations are based on the principle of proportionality. Although this concept is mainly associated with data processing principles, it should also be referred to the implementation of security mechanisms. In practice, it means that the solutions applied should be adequate to the scale and type of business. By using an external team, a company can count on this proportionality and the use of only proven, effective methods. This allows it to optimise the costs of its operations and reduce unnecessary expenses.
Proper implementation of GDPR in a company requires not only a good knowledge of the specifics of the business, but, above all, of the regulations together with guidelines, both national and international. Therefore, it is worthwhile to outsource this task to specialists with many years of experience in the development of personal data processing procedures. Experienced lawyers will make a comprehensive assessment of the state of implementation of data protection mechanisms, evaluate their adequacy and prepare recommendations to improve security and increase the productivity of the organisation.