Data Protection Audits

Discover our range of Data Protection Audit services and get practical legal advice and guidance after the audit and our reported findings, post-audit. A data audit is the foundation on which you can achieve data protection compliance. It is therefore a great basis for establishing a framework which is necessary for any business. 

Auditing and evaluating your business data

The word audit conjures up all sorts of fears for businesses. A data audit is not intended to create any fear and is in fact to be embraced as a positive step to be undertaken. Our data protection team at Ellis Jones has experience of working with businesses of all sizes, including start-ups and we recognise that businesses may not fully appreciate or understand the full implications of the data protection laws and regulations that may apply. We also understand that data audits are likely to be a privilege for many businesses.

However, whilst these may seem like luxurious costs to businesses, a data audit can in fact be hugely beneficial and cost-effective. It enables you to have a detailed understanding of how data flows within your business and whether you are following best practices and compliance with data protection laws. It can also accelerate growth and give you a competitive edge because data can be a valuable asset to any organisation. Having a clear understanding of how your business protects its data and what improvements may be needed, is invaluable. Data protection is not just complying with the data protection laws but also involves having a good security system and protocols in place. A data audit analyses all of these aspects and identifies gaps for improvement and inconsistencies. 

A typical data audit will cover the following areas:

• Data sharing
• Data transfers 
• Data flows internally and externally
• Business functions – core processes and secondary processes
• Relevant data sets and whether a data classification system is required
• Governance and accountability
• Awareness training gaps
• Records management
• Information risk assessments (DPIAs) and the management of these
• Data subject access requests
• Direct marketing – are you doing it within the confines of the data protection laws?
• Data retention
• Data processors and sub-processors
• Where is data kept/backed up / stored/archived?
• What security measures are in place?
• Roles and responsibilities
• What documents, policies and processes are recommended?

Benefits of a data audit

A data audit can be hugely beneficial to your business. The purpose of a data protection audit is to fully understand what systems and processes you have in place for data protection and information security.

It gives you a full analysis of how the data flows within your business and what happens to that data. It helps you to raise awareness of data protection within your business because the audit involves personnel across all sectors and defines what measures are currently in place or what needs to be added. 

Our data audit services differ from our strategic planning services because the sole purpose of the audit is to detect any shortcomings and possible issues with compliance with the data protection laws. The audit also makes recommendations for rectification whereas our strategic planning is more focused on driving the business forward rather than a detailed analysis of your business from top to toe, which is what a data audit does. 

What happens after the data audit?

After we have completed our review and the data audit, we prepare a comprehensive report which summarises the findings and puts forward recommendations for rectification. The report will also identify any urgent rectifications which may expose the company to any compliance issues. It is completely privileged and remains entirely confidential to your business. 

Most recommendations can be remedied quickly but some may require more careful consideration and possible further investment. Where we identify gaps in your policies, we will recommend the implementation of the relevant policies which will be backed up by those procedures and processes that apply to your organisation.

ICO data audits

Often, we are asked why a business should incur the costs both internally and externally for data audits. This is because there is no legal requirement for any business to have a data protection audit. Best practice may be to have one undertaken and to ensure these are carried out annually, but many businesses do not appreciate the benefits of having one, as data protection is not always a priority.

The one thing that is often overlooked, however, is the powers granted to the ICO under GDPR, which is to enable the ICO to undertake its own audits and spot checks of businesses. Having your own audit with a detailed report could prevent any further audits or at least reassure the ICO, that your business takes data protection very seriously and has an appropriate data management system in place.