Data Protection Audits
Discover our range of Data Protection Audit services and get practical legal advice and guidance after the audit and our reported findings, post-audit. A data audit is the foundation on which you can achieve data protection compliance. It is therefore a great basis for establishing a framework which is necessary for any business.
Auditing and evaluating your business data
The word audit conjures up all sorts of fears for businesses. A data audit is not intended to create any fear and is in fact to be embraced as a positive step to be undertaken. Our data protection team at Ellis Jones has experience of working with businesses of all sizes, including start-ups and we recognise that businesses may not fully appreciate or understand the full implications of the data protection laws and regulations that may apply. We also understand that data audits are likely to be a privilege for many businesses.
However, whilst these may seem like luxurious costs to businesses, a data audit can in fact be hugely beneficial and cost-effective. It enables you to have a detailed understanding of how data flows within your business and whether you are following best practices and compliance with data protection laws. It can also accelerate growth and give you a competitive edge because data can be a valuable asset to any organisation. Having a clear understanding of how your business protects its data and what improvements may be needed, is invaluable. Data protection is not just complying with the data protection laws but also involves having a good security system and protocols in place. A data audit analyses all of these aspects and identifies gaps for improvement and inconsistencies.
A typical data audit will cover the following areas:
- Data sharing
- Data transfers
- Data flows internally and externally
- Business functions – core processes and secondary processes
- Relevant data sets and whether a data classification system is required
- Governance and accountability
- Awareness training gaps
- Records management
- Information risk assessments (DPIAs) and the management of these
- Data subject access requests
- Direct marketing – are you doing it within the confines of the data protection laws?
- Data retention
- Data processors and sub-processors
- Where is data kept/backed up / stored/archived?
- What security measures are in place?
- Roles and responsibilities
- What documents, policies and processes are recommended?
Benefits of a data audit
A data audit can be hugely beneficial to your business. The purpose of a data protection audit is to fully understand what systems and processes you have in place for data protection and information security.
It gives you a full analysis of how the data flows within your business and what happens to that data. It helps you to raise awareness of data protection within your business because the audit involves personnel across all sectors and defines what measures are currently in place or what needs to be added.
Our data audit services differ from our strategic planning services because the sole purpose of the audit is to detect any shortcomings and possible issues with compliance with the data protection laws. The audit also makes recommendations for rectification whereas our strategic planning is more focused on driving the business forward rather than a detailed analysis of your business from top to toe, which is what a data audit does.
What happens after the data audit?
After we have completed our review and the data audit, we prepare a comprehensive report which summarises the findings and puts forward recommendations for rectification. The report will also identify any urgent rectifications which may expose the company to any compliance issues. It is completely privileged and remains entirely confidential to your business.
Most recommendations can be remedied quickly but some may require more careful consideration and possible further investment. Where we identify gaps in your policies, we will recommend the implementation of the relevant policies which will be backed up by those procedures and processes that apply to your organisation.
ICO data audits
Often, we are asked why a business should incur the costs both internally and externally for data audits. This is because there is no legal requirement for any business to have a data protection audit. Best practice may be to have one undertaken and to ensure these are carried out annually, but many businesses do not appreciate the benefits of having one, as data protection is not always a priority.
The one thing that is often overlooked, however, is the powers granted to the ICO under GDPR, which is to enable the ICO to undertake its own audits and spot checks of businesses. Having your own audit with a detailed report could prevent any further audits or at least reassure the ICO, that your business takes data protection very seriously and has an appropriate data management system in place.
Data Protection Audit FAQs
What does a data protection audit look like?
Our data protection team have worked with many businesses of all sizes, so an audit will vary according to each business’s need. In addition to applicable data protection laws, industry standards and regulations may also apply depending on which sector your business operates in.
This can change the outlook of the audit and what may be required.
In summary, a data protection audit assists with the following:
- Ensuring data protection procedures are in place and being followed
- Raising data protection awareness externally and internally
- Recommendations for internal and external improvements
- Flaws and vulnerabilities
- Staff awareness
How long does a data protection audit take?
Each data audit is unique to each business need and the audit timescales are dependent on the size, scope and requirements of your business. However, typically we would expect an audit to last anything from 2-3 days to 1-2 weeks.
How do you request a data protection audit?
Our clients will request data protection audits often after a scare or incident which requires a more in-depth analysis. However, our view is that a data protection audit underpins the data protection framework for any organisation, so we advise you to request an audit at the earliest opportunity.
The ICO has powers to carry out their own audits of your business, so it is wise to undertake an audit and to ensure that these are undertaken at least once a year to maintain compliance.