More about Data Privacy Regulations
What Is a Data Protection Audit?
Data privacy regulations , such as the European Union’s General Data Protection Regulation (GDPR) places a focus on the documentation the controller has to provide. Documentation should be clear and should make security practices transparent. It should explain what data is processed, how it is processed, and the legal justification for processing.
For most companies, a data protection audit will be their first foray into the above issues. The audit will help them understand what data is being processed, why it is being processed and how, and improvements needed to comply with the GDPR.
You can use data protection audits to assess whether your organization meets data protection obligations, identify risks associated with data protection, and suggest best practices for improving the situation.
In this article, you will learn:
- What Is a Data Protection Audit?
- Data Protection Audit Checklist
- Data Protection Audit Best Practices
- What are the Next Steps After an Audit?
Data Protection Audit Checklist
To conduct an audit, you need to ask yourself some key questions about your data, and record the results. Things to consider:
- What personal information do you have? List data subject categories and personal data collected. For example, current employee information, past employee information, customer information, marketing databases, and closed circuit TV (CCTV) data. Does some of the data qualify as confidential personal information? Do you collect and process children's data?
- Why is there such data? List the reasons for collecting and storing each type of data. Examples include marketing, service improvement, product development, human resources, and system maintenance. Are you considering how to process your data? Do you actually use it? Do you need it? The audit needs to define the exact purpose and legal basis for data processing (e.g. consent, contract, legal obligation).
- How do you store it? How and when do you collect data? Do you have a record of the storage location for each type of data? How do you protect and access it? How secure is the data in terms of encryption and accessibility?
- How long do you keep your data? Check the retention period and deletion period. What is the legal basis of the shelf life of the data? What is the data deletion process?
Related content: read our guide to California Consumer Privacy Act (CCPA)
Data Protection Audit Best Practices
Ensure your Data Protection Policies and Procedures are GDPR-Compliant and Relevant
Training and Awareness
During the audit, the local Data Protection Commission (DPC) verifies that the guidelines are actually followed. At this point, all employees should be trained in data protection obligations and organizational policies. The DPC takes into account the employee's knowledge of data protection. Records such as roadmaps, online assessment records, and related documents must be distributed to employees to demonstrate that they have completed the appropriate level of training.
Understand Your Data
Make sure you have an up-to-date data processing record (GDPR Article 30) that records the various ways the company processes personal data. When processing personal data, you need to know exactly what, why and why you process it. This exercise can also help you determine data processing relationships that require data exchange or processing contracts.
An effective data protection compliance system includes surprise audits to check everything is in order. This includes reviewing strategy to keep it up-to-date, ensuring that the organization can resolve violations within 72 hours, and conducting an on-site investigation of employee security issues such as files opened on an unsecured desktop, passwords written out on employee’s desks, or employees being away without locking their screen.
You also need to prove that you have an appropriate reporting system, defining how to report issues to your organization's Data Protection Officer (DPO).
How Secure is Your Data?
A surprise audit should also make sure your security systems are stable and reliable. Administrators must prevent unauthorized access to personal data on organizational systems or held by data processors. Consider technologies like encryption of personal data, anonymization and pseudonymization. If you store your data in the cloud, make sure that your cloud service provider is adequately protected, and provides a solution if your data gets corrupted in any way. During the data consistency audit, the DPC verifies that the relevant security requirements are met.
Related content: read our guide to subject access request GDPR
What are the Next Steps After an Audit?
If you have just run a data protection audit, you can get started with GDPR compliance. Here is what you’ll need to do based on the results of the audit:
- Update the rights and responsibilities of stakeholders
- Handle access requests from data subjects
- Conduct data protection investigations as needed
- Appoint a data protection officer (DPO) as needed
- Report serious violations to the Information Commissioner's Office (ICO)
- Ensure you have security measures for data at rest and data transfer
You can find many GDPR compliance templates on the Internet. However, it is best to use results from your audit to adjust the standard guidelines and accurately reflect what you are doing with your personal data.
Data Privacy Audits with NetApp Cloud Compliance
NetApp Cloud Compliance leverages cognitive technology to discover, identify and map personal and sensitive data for data privacy audits and other compliance purposes.
Use Cloud Compliance to maintain visibility into the privacy posture of your cloud data, generate crucial data privacy reports, and easily demonstrate compliance with regulations such as the GDPR and the CCPA.