Kaizen, i.e. you can always improve
In accordance with the principle of continuous improvement (the Japanese business philosophy of Kaizen or, for example, the so-called Deming cycle, that is “plan, do, check, act”), an audit is an opportunity to improve, enhance performance, and thus increase profits. The benefits may be many times higher than the costs incurred (time, money). It’s not just about showing off a picture of the certificate on the website or a nicely framed certificate on the wall in the office. It is about qualitative changes in processes, including the GDPR processes.
GDPR compliance – is an audit a must?
We are living in a time of rapid change and quickly developing technologies (including information technology), in which information, including personal data, has achieved extraordinary value (“data is new oil”!). In the face of these circumstances, providing the client with the best possible security is an obvious necessity.
If we have not yet taken any steps to implement the obligations under the applicable law, a GDPR compliance audit is the first thing to do. This is because it is necessary to take resource inventory, i.e. to verify what data are processed and where and how they are processed (a so-called Record of Processing Activities and/or Record of Processing Categories is created in the process), which should then be analysed in accordance with the principle of a risk-based approach. True, it doesn’t matter whether we do it with enthusiasm and understanding or treat it as an unpleasant duty – let’s assume that we have already complied with the regulations.
Auditing compliance with the GDPR is a statutory obligation
A GDPR compliance audit as a means to ensure adequate security of personal data
First and foremost, an audit consists in verification that the processor to whom we have entrusted our data meets the criteria of a secure service provider. Article 28(3)(h) of the GDPR indicates that a data processing agreement should oblige the processor to “allow for […] audits […] conducted by the controller or another auditor mandated by the controller”. If you carry out processing operations on behalf of and on instructions from a data controller, your business may be subject to such an audit. Another issue regulated by the GDPR is audits which should be carried out by a Data Protection Officer designated by the controller. Article 39(1)(b) of the GDPR stipulates that the DPO’s tasks include, among others, monitoring “compliance with [the] Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits.” Conducting data protection audits has also been identified as one of the “mechanisms […] for ensuring the verification of compliance with the binding corporate rules” (Article 47(2)(j) of the GDPR).
A GDPR compliance audit as part of a security review
Let’s say that you do not use services that require outsourcing of data processing, you have not designated a Data Protection Officer, and your company is not a member of a group of companies that have adopted binding corporate rules. Do you still need to carry out personal data protection audits?
Once again, yes. This obligation arises out of Article 24(1) of the GDPR, which stipulates that “taking into account the nature, scope, context and purposes of processing as well as the risks […] for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure […] that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.” Given the constant technological and regulatory changes, such reviews and updates are necessary virtually all the time.
There’s more than one audit type
We can be in one of two situations. The first one applies to entities that have no data security management system and want to implement one. In such a case, we need what we’ll call an initial GDPR compliance audit. Such an audit will help us design a system appropriate to the nature of our business. The other type is a periodic data protection audit, which is carried out in companies that want to improve and adapt their existing security systems.
We already know that compliance audits in the field of personal data security are a necessity. But how do we carry them out?
An initial GDPR compliance audit includes:
- identification of activities (processes) which involve the processing of personal data,
- for each of such activities, identification of the purposes of processing, the legal basis, the assets used in the processing (e.g., types of documentation, software, categories of data subjects, types of data processed) and a range of other information about the processing that will be necessary to perform a risk analysis (e.g., whether legal obligations are met for each activity),
- an analysis and review of the existing security measures (identification of threats, vulnerabilities, and legal requirements and determination of necessary security measures),
- preparation of a list and a corrective action plan.
GDPR compliance audits carried out after the beginning of processing (concerning the functioning of the security system) will consist of verifying and updating the information gathered during the performance of first three of the above tasks to prepare a new list and a new corrective action plan.
The performance of the GDPR compliance audit should be confirmed by a report containing the criteria applied by the auditor (based on the provisions of law) and an assessment of the fulfilment of these criteria (compliance/non-compliance). Such a report forms a basis for preparing a corrective action plan and a schedule for its execution.
Of course, there are many methods for conducting audits, and they will vary for each organisation. They can be carried out using in-house resources or by engaging an external company. Bear in mind, however, that auditing self-implemented systems is not recommended due to lack of objectivity.