Are you thinking about doing a data protection, Protection of Personal Information Act (POPIA) or General Data Protection Regulation (GDPR) audit? The first step is understanding whether your organisation needs a data protection audit, or a data protection gap analysis. We’ve written before about the differences between the two processes. Your decision on which process is more appropriate will depend on whether you are at the beginning or end of your compliance journey. In our view, a gap analysis works best at the beginning, as a forward-looking activity to help you plan your actions. An audit, on the other hand, work best at the end, as a backward-looking exercise that helps you check if you have implemented a specific regulatory requirement. This post focuses on a data protection audit.
It is important not to confuse an audit, in this context, with a data protection audit by an authority. The latter is conducted by an authority – like the UK Information Commissioner’s Office (ICO) – and findings of non-compliance have varied consequences.
Who should conduct a data protection, POPIA or GDPR audit?
An organisation initiates a data protection audit to assure itself that it is not exposed to a compliance risk. This audit can be internal or external. Some organisations choose to help their internal audit function by bringing in third party consultants, while others outsource the internal audit function completely to specialist POPIA or GDPR auditor.
It’s usually a good idea for the person who conducts an audit to be sufficiently independent from the business activities that they are auditing. Auditors need to able to operate an effective data protection audit and communicate their findings to the appropriate people without fear or prejudice.
What should I be looking for?
You must clearly understand what specific set of obligations (often called ‘controls’) you need to compare your organisation’s compliance efforts against. It will vary depending on what kind of compliance risk exposure is being assessed. This could be based on POPIA, GDPR, global data protection law, or even a combination of laws. Understanding your organisation is important, and then linking that back to your regulatory universe. In most cases, your regulatory universe contains the data protection laws and regulations that apply to your organisation. If you do not have a documented regulatory universe, your data protection compliance programme should give you a clear indication of the data protection laws and regulations that apply to you.
It is also important to note that a data protection audit can only assess your compliance against the relevant data protection obligations. It cannot assess whether you have applied the principles because that is a much more detailed and subjective process. That said, it is important to have a clear picture of your organisation’s overall data protection maturity, which includes how well you are applying the principles. An audit is just not the right tool.
For example, a data protection, POPIA or GDPR audit can tell you if you have appointed a data protection officer – an obligation. It would not be able to determine whether the information you are collecting from your data subjects is minimised – a principle. This is because the latter is not a simple yes or no question; it requires a deeper look at your data collection processes and the findings would be more nuanced.
Scoping and preparing a data protection audit
The scope of a data protection, POPIA or GDPR audit must be defined prior to starting an audit to ensure that it is conducted effectively. The scope may differ depending on the organisation. Some of the questions to keep in mind are:
- What am I auditing? My Processes, Systems or Activities? What is excluded from the audit?
- What obligations am I comparing my organisation against?
- What period am I reviewing?
- What is the best approach for conducting an audit on my organisation?
- How long is my audit going to be?
We can help you think through your scoping and put together an appropriate data protection, POPIA or GDPR audit scope for your organisation.
Once you have decided on the audit scope, you would then prepare a document request, a questionnaire and interview questions with the relevant regulatory obligation in mind.
How do I conduct a data protection audit?
At its core, a POPIA or GDPR audit is a comparison. You compare what you have done against what is expected from you. The expectations flow from POPIA, GDPR, global data protection law, or a combination depending on your organisation. Your work comes in at gathering evidence to get a concrete sense of what you have done, namely your compliance controls. You then assess that evidence against the obligations to come to a finding of either ‘compliant’, ‘partially compliant’ or ‘non-compliant’.
What is the outcome of all this?
The output of a data protection, POPIA or GDPR audit is an audit report. An audit report is a summary of all the work that has gone in to the audit and the results. It starts off with an overview describing the scope of the audit. It would typically be followed by an executive summary that includes a condensed version of your observations and a statement of overall compliance. You would then go into your detailed observations.
You can find out more about the other kinds of compliance audits we provide here.