For many organizations, preparing for the European Union’s (EU) General Data Protection Regulation (GDPR) has been a time-consuming endeavor. Unfortunately, the work is not over. Now that GDPR is in effect, companies will need to do regular internal audits to assess their compliance levels. The ability to document these audits will be vital in the event of a breach or complaint, because showing that a good-faith effort was made could help avoid a big penalty.
“Audits are very important, as accountability is one of the principles under the GDPR, and organizations are expected to monitor their privacy and compliance program as part of being in compliance,” says Greg Sparrow, senior vice president and general manager at risk management consulting firm CompliancePoint.
“Further, audits will ensure that organizations can catch issues or errors in their program and thus demonstrate due diligence to the regulators if violations occur or they come under question,” Sparrow says. “Compliance is not a ‘set it and forget it’ program. Companies are expected to comply with the regulation as well as have regular monitoring in place to ensure they remain compliant.”
Why you should perform a GDPR audit
Many organizations affected by the GDPR are not yet compliant. In particular, small businesses have struggled to comply. A report released by GDPR.eu in May shows a disconnect with European small business leaders' perception of being GDPR compliant and their actual level of meeting key requirements.
About 86% of the 720 survey respondents said they were completely or mostly compliant. Yet only 44% were confident that they clearly communicate their data processing activities to data subjects, and 44% were not confident that they always obtained consent to gather or established a lawfult basis to use personal data. These are core GDPR requirements.
Also in May, the European Data Protection Board (EDPB) reported that it had received about 65,000 data breach notifications under GDPR and had issued $63 million in fines. That same report also noted that the volume of notifications is taxing regulators' resources. Although the report does not mention audits, it stands to reason that organizations reporting a breach that have not done an audit on their GDPR compliance would get more attention than one that did.
It’s important to conduct GDPR audits “to check that processes are in place to deal with the tasks required, including the right to be forgotten and data portability, and so that data protection officers [DPOs] and staff know what to do in the case of a breach,” adds Gary Southwell, general manager of the Cybersecurity Division of security technology company CSPi.
“Fully vetting processes through an audit provides measures that can be used for process improvement,” Southwell says. “But it also provides a key compliance element—proving your company has such processes in place and in operation—before issues occur as the law intends. Specifically, it can also help improve general investigative response readiness, something all companies should be doing to minimize their risk of data loss.”
GDPR audits will likely involve people outside security, including data governance, IT, legal, and human resources. Clearly much of the focus will be on cyber security programs. Here are the key steps of a GDPR audit, according to industry experts.
1. Create a GDPR audit plan
The first step is to have a detailed plan and set of written, actionable and assignable processes that go through the law’s requirements step by step, Southwell says. “For those new to creating such plans, ISO [International Standards Organization] provides templates for their processes,” Southwell says. “While not specific to the requirements of GDPR, [ISO] provides a template of how to create proper actionable plans, detailing the who does what, how and when.”
As part of this initial phase, companies need to assess what EU resident data they collect, where it’s stored, and how and where it’s processed. “The audit should ensure that such data is properly identified,” Southwell says. “Once identified, compliancy actions can be specified.”
For instance, who is in change of tracking such data for removal or transferring such data upon a EU residents’ request? “How do you ensure that such a request is legitimate?” Southwell says. “How do you ensure the data is properly acted upon?” If data is to be removed, there needs to be a process of ensuring that all repositories including data backups have been properly updated and accounted for.”
The plan should include a way to identify which EU resident’s details were exposed and if such records were protected by encryption. “If so, the steps for notification are dramatically different,” Southwell says. “The audit should show how each case is dealt with. Best practice would also provide a complete forensic audit trail is in place to help answer questions and prove compliance.”
When building an audit plan for GDPR, keep in mind that companies need to be aware of the data they hold throughout its lifecycle. “Unfortunately, GRPR is a vague regulation that leaves us with lots of open-ended questions, which adds to the compliance complexity,” says Fouad Khalil, head of compliance at security services provider SecurityScorecard, Inc. “With that said, it is my recommendation that organizations implement an audit plan around the lifecycle of personal data.” That includes classifying personal data, and managing data risk, security, and supply chain.
2. Look for GDPR compliance gaps and report the findings
Review your current compliance program under the GDPR. This includes records of processing, the data subject access request process, technical and security controls, privacy principles, and data transfer mechanisms, Sparrow says.
“The GDPR impacts the majority of the departments within an organization,” Sparrow says. “The discovery phase of the audit will consist of interviews and documentation/policy review with any department processing personal data or responsible for the governance, operations, or technical controls pertaining to personal data.”
This will determine the organization’s ability to align with the GDPR rules. Discovery sessions should include the organization’s effectiveness in meeting requirements, Sparrow says, including:
- Subject access requests
- Privacy principles
- Technical and security controls
- DPO applicability
- Data transfers outside of the EU to countries with no adequacy decision
- Processor oversight and contracts
- Data breach response and notification to a supervisory authority and data subjects
- Privacy impact assessment methodology
- Demonstration of data protection by design and default
- Ongoing monitoring of the compliance program
Once the discovery phase is complete, auditors need to outline the current process and any areas that are out of alignment. This involves producing a report that shows the organization’s ability to align with the GDPR rules.
The report can be extensive, with exhaustive findings and recommendations about changes that need to be made, Sparrow says. Or it can be as simple as an “aligned” or “not aligned” rating, with the understanding that anything under the “not aligned” category needs to be remediated.
3. Prioritize and remediate gaps in GDPR compliance
Next, the audit team needs to prioritize areas that are out of compliance, based on the risk level of the particular areas. “Take a risk-based approach when working towards remediation,” Sparrow says. “For example, the regulators have commented at conferences that their focus will be on breaches and an organization’s ability to facilitate legitimate subject access requests. If your company is lacking in this area, we recommend fixing it promptly.”
Factors that should be considered when determining risk include probability of occurrence, level of misalignment with regulation, and business impact if infringement occurs. Beginning with the highest-risk areas, begin remediating GDPR compliance gaps found in the discovery phase.
Given the broad reach of the regulation and the various requirements, gaps are unlikely to be remediated by one individual or team, Sparrow says. “Provide tasks to the appropriate owners responsible for remediation and realistic deadlines,” he says.
It’s vital to understand that some remediation items will take longer than others. For example, technical fixes and updates might require budget reallocation and staff augmentation, or data subject rights might require training development for those team members responsible for the front-end handling of end-user requests.
4. Test the remediation efforts
Now that the audit team has invested the time and resources in finding and remediating compliance gaps, it’s vital to ensure that the organization’s processes and systems meet the GDPR requirements.
Test and re-test the controls the organization has put in place, to ensure that gaps are closed, and fix any issues that might arise. “Now that the gaps have been closed, audit to ensure the requirements have been met,” Sparrow says.
Remember that this is an ongoing process. “Regularly perform audits to ensure privacy and compliance program are operating as expected,” Sparrow says. “Performing ongoing audits and tests of the compliance and privacy framework to ensure all is in order. Accountability is a principle under the GDPR, and organizations must implement an ongoing monitoring and enforcement program to test the privacy program’s effectiveness in meeting the GDPR” requirements.
Elements of GDPR and data privacy “need to be incorporated into regular risk analyses,” says Mischa Danaceau, CSO at managed security services provider InteliSecure.
“There are aspects of the law that may not apply to all companies, including appointing a DPO or maintaining records of processing activities,” Danaceau says. “To this end, the audit itself can help companies understand the requirements better.”
Bonus benefits of GDPR self-audits
Performing a GDPR audit takes time, money, and other resources. However, the return on that investment can be greater than simply reducing the risk of a fine. “The positives of doing well on a self-audit far outweigh the costs and effort required to perform the audit,” says John Timmerman, global industry evangelist at Teradata.
For example, Timmerman sees the self-audit as a way to demonstrate customer advocacy. “Every GDPR-affected marketing organization should be leading with how well they’re protecting their customers and advocating on their behalf. It’s surprising how many organizations view GDPR as a dictate rather than an opportunity,” he says. “Leaders in the market will be upfront and vocal about everything they’re doing to be faithful stewards of customer information and they’ll lead by showing their customers specifically how and why that data is used to provide better offers and better service.”