Data Protection Audit

[lwptoc]

THE STORM HAS PASSED – RIGHT?

“GDPR – thank goodness that is over! I got fed up with e-mails asking for my consent and inviting me to read privacy notices.”
Relief seems to have been a common reaction to the arrival of the UK’s third generation of data protection laws. After months of media attention and a good deal of confusion, everything seemingly went quiet.

You could be forgiven for thinking the storm had passed. Time to start the clean-up operation and cleanse the inbox of all those GDPR related messages from May you never opened. It all blew over and nothing really happened. It was just like the Millennium Bug. Not quite…

THE BEGINNING, NOT THE END

The new Data Protection Act (DPA) 2018 sits alongside the GDPR (General Data Protection Regulation) and aims to ensure data protection laws are effective for years to come – both pre- and post-Brexit. From 25th May 2018, The Information Commissioner’s Office (ICO) has had the powers to enforce the legislation.

But, thinking of that date as a deadline risks drawing the wrong conclusion. A deadline signifies a time by which something must be finished or submitted, whereas 25th May 2018 represents a beginning as much as an end. Whilst there had been two years for organisations to prepare for the changes, the task of identifying and addressing privacy and security risks did not finish there. Elizabeth Denham, The Information Commissioner, summed this up in a blog on 23rd May 2018 by saying: “we all know that effective data protection requires clear evidence of commitment and ongoing effort.”

https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/05/beyond-2018-data-protection-laws-built-to-last/

EVIDENCE OF EFFORT AND COMMITMENT

In the build up to the GDPR ‘deadline’, there was high profile focus on the significant increase in the maximum level of fines available to supervisory authorities such as the ICO. However, whilst these sanctions are available, supervisory authorities are not required to impose fines.Indeed, Elizabeth Denham’s blog of 23rd May 2018 stated that: “this law is not about fines. It’s about putting the consumer and the citizen first.”

In making their assessment of appropriate action, the ICO must take into account a number of considerations. These include:

the intentional or negligent character of the infringement.
the degree of responsibility of the controller or processor taking into account technical and organisational security measures implemented by them.
the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement.

This helps to explain why the ICO will look for clear evidence of ongoing effort and commitment. Things can go always go wrong, even in an organisation which is well prepared. However, demonstrable evidence that reasonable steps have been taken to reduce data privacy and security risk will be taken in consideration if the worst happens.

Therefore, building and maintaining evidence of good data protection practice is something all organisations are expected to be doing. This should have started before 25th May 2018. If definitely should not have stopped after that date.

EASYLIFEIT™ DATA PROTECTION AUDIT

EasylifeIT can help your organisation provide evidence of its effort and commitment by facilitating and documenting a personal data information audit.

The primary aim is to identify areas of the business that are likely to process personal data, and in particular any special categories of personal data (previously known as ‘sensitive’ personal data).

Areas to be assessed are typically:

Human Resources
IT / Operations (to determine the computerised systems in use and to assess the security and contingency measures in place)
Marketing / Commercial (particularly in terms of analysing how consent is obtained and managed)

To maximise the value of the audit, decision makers representing each of the company’s key data processing functions need to be involved in the process. EasylifeIT’s consultant will spend one day on-site working directly with those nominated decision makers.

DPA 2018 / GDPR requires organisations to document what personal data they hold, where it came from and with whom they share it. Specifically, EasylifeIT’s Data Protection Health Check will seek to identify the extent to which an organisation understands and has documented the following:

Names of databases / applications personal data is processed in. Although this is likely to focus on computerised systems, it would also cover paper based systems if applicable.
A description of the purpose for processing that personal data
Categories of personal data e.g. name, telephone number, address etc
Access from / to third parties e.g. contractors or organisations that process any of the data on behalf of the organisation
Hosting location / use of internal or external service providers, particularly if outside of the EU
Back-up locations, particularly if outside of the EU
Contact details of person in charge of the relationship which covers databases / applications
Method of data transfer if outside of EU i.e. appropriate safeguards such as contracts are in place if data is transferred outside of the EU
Consent – how the organisation is seeking, obtaining and recording consent
Safeguarding – the methods in use to protect against unauthorised or unlawful processing and against accidental or unlawful loss, destruction, alteration, unauthorised disclosure of or access to personal data
Policies and procedures covering data privacy and security

In addition, the ICO has also designed a basic tool set to help organisations assess their compliance with data protection law. It helps with understanding the key concepts companies must continue to embrace. These include: the new rights of individuals, handling subject access requests, consent, data breaches and designating a data protection officer.

https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/

As part of EasylifeIT’s Data Protection Health Check, our consultant will run through relevant questionnaires from this tool set with the company’s designated decision makers. This will provide another useful measure of the organisation’s current level of preparedness and the gap (if any) which needs to be closed. Analysis of this will be included in EasylifeIT’s report which will be provided as part of the Data Protection Health Check.

DELIVERABLES

A 2 day programme of work, comprising:

1 day on-site working directly with the company’s nominated decision makers from pre-defined key functions
1 day to analyse findings from the on-site data gathering and to produce and deliver a report of findings and recommendations

BENEFITS

A prioritised action plan designed to build and maintain evidence of commitment to good data privacy and security practice

Jake Thomas

16:16 18 Jul 22

A professional and very competent service. Everything is managed beyond expectation. Highly recommended.

Tom Chance

09:27 09 Mar 21

We engaged Lindsey and her team to improve our security, and implement Microsoft across our business. They did an amazing job, and worked tirelessly and with lots of patience until things were working perfectly. Lindsey really knows her stuff, and I was so impressed by her knowledge of IT and ability to the root of issues.

Tamara Cooke

14:09 17 Sep 20

EasylifeIT are always able to solve our IT issues. Their support team are helpful, patient and are happy to explain things to you if you ask. FYI I've not ticked good value as my employer pays the bill so I don't know!

Sherwin Currid Sherwin Currid

08:09 10 Jul 20

Easylife IT have looked after our cloud IT systems for many years now. We continue to be very happy with the service which is prompt and efficient. The team are very knowledgeable and stick with issues until they are fully resolved. I would have no hesitation in recommending them to others.

Nick Green

10:45 09 Jul 20

My business has been using Easylife IT for what must be around 10 years and I have not needed to look elsewhere in that time! As a small business we don't have IT capabilities in house and the backup service from Easylife has given us confidence knowing that our backs are covered. All issues dealt with remotely and for higher level issues the business owner will help out with friendly advice. I always feel their advice is good and charging is fair. I am a little surprised to see another review that appears to speak highly but giving a 4 star. Anyway it's definitely a 5 star from me! Highly recommended.

Blog

EasylifeIT™ Data Protection Audit