Data protection authorities around the world have started to do a data protection audit (or GDPR audit) on controllers to check that they comply with data protection law. Essentially, the authority compares your organisation to a data protection law that it must comply with and determines the degree to which your organisation complies. A compliance audit involves an auditor from an authority verifying your organisation’s compliance with the law by gathering evidence. For many controllers, this is a very scary prospect.
- What will happen to you if you are audited?
- What does an authority normally ask for as part of an audit?
- How can I prepare for a GDPR audit?
Please note that this article is specifically about an authority, commissioner or regulator conducting an audit. It is not about Michalsons doing an audit for you or an internal audit or other external third-party is doing an audit on you. It is also not about a privacy impact assessment (PIA) or a data protection gap analysis. We deal with both of those topics in their own module in our data protection programme. This article is also not about a GDPR data audit, which is something different and is about mapping activities to create a record of processing activities. An audit is also something different to an advisory visit.
What is involved in a data protection audit?
The authority who is most active in auditing controllers is the Information Commissioners Office (ICO) in the United Kingdom. They have also given us information and a guide to ICO data protection audits. This material is very useful for giving you an idea of what would be involved.
An audit, both internal and external, should be aimed at helping you understand your data protection obligations as well as at meeting them. Data protection authorities, such as the ICO, provide a risk-focused report with recommendations after they’ve assessed the extent to which you comply with the relevant data protection law. The ICO also publishes an executive summary on their website for a year after the audit. For example, there is an executive summary of the recent Ormiston Academies Trust audit that notes areas of improvement such as updating their contracts with data processors to be fully compliant with Article 28 of the GDPR.
An audit may look at a number of areas relevant to your organisation. Some examples include:
- data protection governance,
- the structures, policies and procedures to ensure compliance with data protection legislation,
- the processes for managing containing personal data,
- the processes for responding to any request for personal data,
- the measures in place to ensure the security of personal data you store, and
- the provision of staff data protection training and staff awareness of data protection requirements.
How to prepare for a GDPR audit
Essentially you want to be in a position to provide an authority with tangible evidence that you take data protection seriously and that you have correctly taken action to protect personal data. Authorities like evidence. So you need to start creating a paper trail of all the actions you have taken over time. This is very hard to recreate when you’re being audited and is much easier to do over a period of time when you are actually taking the action.
Audits look at three main areas:
- Security of personal data – how personal data is stored and kept secure.
- Records management – how records containing personal data are processed, from collection to destruction.
- Requests for personal data – how you handle individuals’ requests for copies of their personal data and how you manage routine and one-off disclosures to other organisations.
Your organisation should be prepared to show a data protection authority the specific processes and facilities employed to meet compliance in these areas. You can prepare by aligning your internal audit with an external one. By running regular internal audits that include recommendations and actionable tasks you’ll increase data protection awareness across your organisation.
How we can help you
- Respond appropriately to a notification from an authority that they are going to audit you by asking for our advice.
- Find data protection software that can help you take action and produce a record of what is being done by asking for our advice.
- Implement your own data protection programme by joining one of our data protection programmes.
Recent high profile audits by authorities
Recently, the Swedish Data Protection Authority has performed an audit of over 350 organisations on whether they had yet to appoint a data protection officer. The audit included, amongst others, banks, telecom providers, medical care providers, insurance companies and trade unions. This is their first GDPR audit and they chose to audit the presence of appointed Data Protection Officers because the role is critical to raise data protection awareness within an organisation as well as to compliance. The audit shows, among other things, that most companies have. Only 16% of the audited companies still need to appoint a Data Protection Officer. The Swedish DPA issued reprimands and orders to comply but no fines. Inspector General Lena Lindgren Schelin has said fines will be on the table in the future for continued non-compliance.
The Bavarian Data Protection Authority audited major Bavarian websites for their use of tracking tools, specifically looking at the use of cookies. According to the Conference of German Data Protection Authorities’ position paper on 26 April 2018, the use of cookies requires opt-in consent. The authority found none of the 40 websites they audited to be compliant.
The ICO has conducted 55 audits so far. They report their audits and advisory visits on their website. Recently they conducted an audit of the NHS England focusing on governance and accountability. Their rating system consists of four categories, High, Reasonable, Limited or Very Limited. The NHSE were given a ‘Reasonable’ assurance rating and were advised to revise their information management audit framework.
Earlier this year, the Information Commissioner’s Office (ICO) proposed fining British Airways more than £183 million and Marriot International almost £100 million. Whilst these are only proposed fines and so are likely to be reduced, this is an indication that data protection authorities are intensifying their activities as similar fines in the pre-GDPR era were around £500 000. This might also be an indicator that authorities will conduct a greater number of audits in future.