Independent GDPR auditing
After the initial launch of the GDPR compliance program, companies face the evident challenge, related to turning results into an everyday practice, as well as a number of processes, which become part of the standard audit model of the organizational process. In order for these processes to achieve their aim, they also need to be subject to continuous monitoring and improvement, to have measurable indicators and to be apt to maturity modelling.
Taking into account that the GDPR is unlikely to remain static, the process model should additionally give the practicing data privacy officers and undertakings the opportunity to adapt and improve their data protection and privacy provisions in line with the new requirements or with the results of internal and external reviews. This flexibility degree suggest that data protection and privacy are integrated with the existing management systems, as a standardized and recognized approach towards maturity and continuous improvement is used.
The analysis of the performance of the privacy of the personal data lifecycle needs to be examined with the highest priority. Once the GDPR has been applied, the supervisory review process and the possibility of inquiries from data subjects automatically create necessity of regular reviews, inclusion in audit programs and other good practices within ‘the three lines of defense’ (i.e. first line - internal control and audit, second line - information security and compliance, third line - risk management and financial control) in the undertaking.
Internal control and audit function
Data Protection and Privacy (DPP) has always been a part of the entire internal control system, but the GDPR requires review and updating of these controls. Companies and audit officers need to include personal data protection controls in the planning of their programs and document them in compliance with the overall assessment.
In practice, it has been proved that companies having a pro-active attitude towards external audit and independent review, are more effective and require less resources if and when a supervisory review is performed.
Ensuring impartial supervisionImpartial supervision should be guided by a process which defines the roles and responsibilities, scope, frequency and objectives of the supervisory activities. The process should comprise not only the DPO functions, but also the functions of other organizational units (usually the auditor’s function), which participate in the provision of impartial supervision.
- - Organizational roles, performing and ensuring impartial supervision
- - Roles and responsibilities (Responsible, Accountable, Consulted and Informed (RACI)), including proved impartiality
- - Objectives and scope of the supervision activities
- - Frequency of risk-based supervision activities
- - Procedures and guidelines for planning, integration and accounting
Processes, procedures and other elements of management, related to impartial supervision, should further ensure the principle of transparency, as well as separation of governance from data management.
Data Protection and Privacy provisions need to be subject to independent review within the enterprise. Firstly, this review task belongs to the DPO as a formal representative, required by the Regulation.
The experience with previous data protection activities shows that this cannot provide a complete and accurate view of the arrangements between all participants in the process, as the DPO functions are often overloaded and at times argued by the complex dependencies in personal data processing. Thus requires companies to introduce a set of controls, including independent, usually external reviews of the DPO function itself, the internal control system with a focus on personal data.
Performing GDPR-related GAP analysis audit and preparing a report.
The GDPR audit will be performed by recognized experts in the field of information technology and system security. The approach will correspond to the best practices for auditing organizations with different businesses. The audit is described below:
a. Obtaining, identifying, classifying and locating personal data
Systems in the organization, which contain or may contain personal data on their media, will be identified. Determination of the databases used. Definition or classification of personal data or a set of data, which can be considered personal. A non-compliance list will be prepared for:
- Data lifecycle management.
- Management and administration of personal data identification.
- Maintenance of data classification.
- Maintenance of the personal data register.
- Management of special categories of data.
- Erasure management (the right to be forgotten).
b. Verification of personal data-related risk management
Personal data-related risks, evaluation of risk factors, impact, treatment and validation of risk when working with data will be verified.
c. Personal data security management
The entire securiry and management of processes and policies, related to personal data, will be verified. Review of consumer groups, roles for access to systems and applications, identification of those who work with personal data. The methods for distribution of employees’ rights in the following cases will be reviewed:
- Joiner process
- Leaver process
- Mover process
Increased protection of systems by dividing the levels of access and limiting them to the minimum, necessary for the performance of official duties. Recommendations for protection and optimization of the roles and rights of acess to information in the organization. A non-compliance list will be prepared for:
- Anonymization and pseudonymization management.
- Cryptography management.
- Protection levels management.
- Sustainability management.
- Access management.
- Testing and assessment management.
d. Management of the personal data supply chain
Processes, contracts, inner and outer relationships with your suppliers will be verified. A non-compliance list will be prepared for:
- Management of controllers and processors.
- Management of sub-processing.
- Maintenance of processing agreements.
- Supply chain impact management.
- Maintenance of the supply chain controls.
e. Management of incidents and personal data breaches
Assessment of possible breaches of security during data processing. Optimization of the working process, allowing preventive identification and solving of potential problems. Risk minimization through improvement of the security of the whole communication infrastructure and reduction of the possibility of failures and breaches. Preparing an offer for complex technical solution which will satisfy the realization of the protected work in the organization to the maximum extent. The offer will be compliant with the good contemporary global practices. The processes, related to a breach or leakage of personal data in case of a negative scenario, will be verified. A non-compliance list will be prepared for:
- Notification management.
- Management of communications to data subjects.
- Implementation of crisis and incident management.
- Management of evidence and claims.
Recommendation for increase in the efficiency of crisis measures (recovery from breaches, personal data leakage in the public space, information losses and other disasters). Evaluation of damages and losses. Scope restriction. Reporting the problem to the responsible authorities.
f. Developing and maintaining qualifications and knowledge of the Regulation
The processes, related to knowledge and trainings of employees, directly concerned by the present Regulation, will be verified. Their skills and competence, as well as the need of further qualifications, will be reviewed.
g. Role and function of a DPO within a business
The necessity of appointing a Data privacy officer (DPO) will be reviewed. A non-compliance list will be prepared for:
-Maintenance of the DPO function.
- Budget and resources management.
- Organizational interfaces management.
- Accounting management.
- External services management.
h. Maintenance of internal controls
The available internal controls for personal data processing will be verified and evaluated. There will be a further evaluation of the present impact of internal audit (control) over personal data. A non-compliance list will be prepared for:
- Maintenance of controls for data obtaining.
- Maintenance of processing controls.
- Maintenance of storage controls.
- Maintenance of erasure controls.
- Maintenance of monitoring controls.
- Independent review conduct.
- All necessary procedures, documents, internal rules and policies.
i. Personal data maintenance and management
Determining the systems and formats, on which personal data is exchanged. Determining the approval processes and procedures, data flows. Preparing recommendations for protection of the exchange of data between systems and applications. Optimizing the control and approval hierarchy. The current framework for personal data management will be evaluated and recommendations will be prepared for:
- Creation of a framework for personal data management and protection.
- Maintenance of the processing register.
- Maintenance of the binding corporate rules (BCRs).
- Maintenance of consent rules.
- Maintenance of the rules for data requests from subjects.
- Maintenance of rules for complaints management.
- Provision of impartial supervision.
Price: open to negotiation
The duration of the audit depends on the environment, scope and level of cooperation of your organization.