Data Protection Audit
THE STORM HAS PASSED – RIGHT?
“GDPR – thank goodness that is over! I got fed up with e-mails asking for my consent and inviting me to read privacy notices.”
Relief seems to have been a common reaction to the arrival of the UK’s third generation of data protection laws. After months of media attention and a good deal of confusion, everything seemingly went quiet.
You could be forgiven for thinking the storm had passed. Time to start the clean-up operation and cleanse the inbox of all those GDPR related messages from May you never opened. It all blew over and nothing really happened. It was just like the Millennium Bug. Not quite…
THE BEGINNING, NOT THE END
The new Data Protection Act (DPA) 2018 sits alongside the GDPR (General Data Protection Regulation) and aims to ensure data protection laws are effective for years to come – both pre- and post-Brexit. From 25th May 2018, The Information Commissioner’s Office (ICO) has had the powers to enforce the legislation.
But, thinking of that date as a deadline risks drawing the wrong conclusion. A deadline signifies a time by which something must be finished or submitted, whereas 25th May 2018 represents a beginning as much as an end. Whilst there had been two years for organisations to prepare for the changes, the task of identifying and addressing privacy and security risks did not finish there. Elizabeth Denham, The Information Commissioner, summed this up in a blog on 23rd May 2018 by saying: “we all know that effective data protection requires clear evidence of commitment and ongoing effort.”
EVIDENCE OF EFFORT AND COMMITMENT
In the build up to the GDPR ‘deadline’, there was high profile focus on the significant increase in the maximum level of fines available to supervisory authorities such as the ICO. However, whilst these sanctions are available, supervisory authorities are not required to impose fines.Indeed, Elizabeth Denham’s blog of 23rd May 2018 stated that: “this law is not about fines. It’s about putting the consumer and the citizen first.”
In making their assessment of appropriate action, the ICO must take into account a number of considerations. These include:
- the intentional or negligent character of the infringement.
- the degree of responsibility of the controller or processor taking into account technical and organisational security measures implemented by them.
- the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement.
This helps to explain why the ICO will look for clear evidence of ongoing effort and commitment. Things can go always go wrong, even in an organisation which is well prepared. However, demonstrable evidence that reasonable steps have been taken to reduce data privacy and security risk will be taken in consideration if the worst happens.
Therefore, building and maintaining evidence of good data protection practice is something all organisations are expected to be doing. This should have started before 25th May 2018. If definitely should not have stopped after that date.
EASYLIFEIT™ DATA PROTECTION AUDIT
EasylifeIT can help your organisation provide evidence of its effort and commitment by facilitating and documenting a personal data information audit.
The primary aim is to identify areas of the business that are likely to process personal data, and in particular any special categories of personal data (previously known as ‘sensitive’ personal data).
Areas to be assessed are typically:
- Human Resources
- IT / Operations (to determine the computerised systems in use and to assess the security and contingency measures in place)
- Marketing / Commercial (particularly in terms of analysing how consent is obtained and managed)
To maximise the value of the audit, decision makers representing each of the company’s key data processing functions need to be involved in the process. EasylifeIT’s consultant will spend one day on-site working directly with those nominated decision makers.
DPA 2018 / GDPR requires organisations to document what personal data they hold, where it came from and with whom they share it. Specifically, EasylifeIT’s Data Protection Health Check will seek to identify the extent to which an organisation understands and has documented the following:
- Names of databases / applications personal data is processed in. Although this is likely to focus on computerised systems, it would also cover paper based systems if applicable.
- A description of the purpose for processing that personal data
- Categories of personal data e.g. name, telephone number, address etc
- Access from / to third parties e.g. contractors or organisations that process any of the data on behalf of the organisation
- Hosting location / use of internal or external service providers, particularly if outside of the EU
- Back-up locations, particularly if outside of the EU
- Contact details of person in charge of the relationship which covers databases / applications
- Method of data transfer if outside of EU i.e. appropriate safeguards such as contracts are in place if data is transferred outside of the EU
- Consent – how the organisation is seeking, obtaining and recording consent
- Safeguarding – the methods in use to protect against unauthorised or unlawful processing and against accidental or unlawful loss, destruction, alteration, unauthorised disclosure of or access to personal data
- Policies and procedures covering data privacy and security
In addition, the ICO has also designed a basic tool set to help organisations assess their compliance with data protection law. It helps with understanding the key concepts companies must continue to embrace. These include: the new rights of individuals, handling subject access requests, consent, data breaches and designating a data protection officer.
As part of EasylifeIT’s Data Protection Health Check, our consultant will run through relevant questionnaires from this tool set with the company’s designated decision makers. This will provide another useful measure of the organisation’s current level of preparedness and the gap (if any) which needs to be closed. Analysis of this will be included in EasylifeIT’s report which will be provided as part of the Data Protection Health Check.
A 2 day programme of work, comprising:
- 1 day on-site working directly with the company’s nominated decision makers from pre-defined key functions
- 1 day to analyse findings from the on-site data gathering and to produce and deliver a report of findings and recommendations
- A prioritised action plan designed to build and maintain evidence of commitment to good data privacy and security practice