Peace of mind: A privacy audit can provide peace of mind about how data is being handled and stored
8 things to consider when conducting a privacy audit
Data protection is high on the agenda as companies strive to comply with regulations such as the EU General Data Protection Regulation (GDPR). At a time when companies collect vast amounts of information, privacy audits assess whether organizations are in a good position to earn customer trust and meet their regulatory obligations.
Privacy audits provide valuable insight into improving data handling practices, says Robert Grosvenor, managing director of disputes and investigations at consulting firm Alvarez & Marsal. “Ultimately, this helps support better data governance and trust at a time when good data management is critical to business strategy.”
The benefits of conducting a privacy audit are clear, so what do you need to consider?
#1 – Define a clear purpose and scope
There are a number of options, so it’s important to determine the purpose and scope of the audit, says Camilla Winlo, director of privacy at professional services consultancy Gemserv.
Grosvenor agrees. In some cases, it might make sense to conduct a “collaborative, less formal health check or assessment” of the privacy function, he advises. “A practical roadmap for improvement can then be put in place with the aim of proactively engaging stakeholders and raising awareness of the importance of privacy.”
#2 – Outline a criterion and methodology
A privacy audit requires criteria and a methodology. “It might be possible to audit against a third-party standard like ISO 27701 — or it might be necessary to create a bespoke audit plan based on requirements set out in documents like policies, procedures and contracts,” says Winlo.
Once the screening criteria are set, companies should consider the evidence they need to verify and how they will collect it. This could include spot checks, interviews, documentation reviews, and testing, Winlo says. “The auditor must examine sufficient evidence to determine whether the processing activities are always, sometimes or never compliant. Where they disagree, organizations need to assess how big the gap is.”
#3 – Know what data you have and what you use it for
When conducting a privacy audit, it’s important to identify the data you have, where it’s stored, and what you’re using it for. “Once you know what data you have, you need to identify where you got it from,” says Nigel Jones, co-founder of the Privacy Compliance Hub. “Then you can work out what rights you have in this regard; what you do with it; where you store it; how long you keep it; and what happens when you no longer need it.”
This basic inventory forms the basis for the rest of your audit, as well as your record of processing activities (ROPA), he says.
But there’s no point in keeping data safe within your organization if you’re going to share it with others who don’t respect it, Jones points out. “Make sure you have a list of all the organizations you share information with; have made agreements with everyone; and be ready to demonstrate why you think processing data is safe.”
GDPR compliance requires data to be used only for the purpose for which it was collected, so you need to show your organization is committed to this principle, says Jamie Akhtar, CEO and co-founder of CyberSmart.
In addition, you also need to determine how your company protects data and ensures its accuracy, he adds.
#4- Don’t overlook shadow data
When conducting the audit, don’t forget “shadow data” – the information typically extracted from company systems into a spreadsheet or database and used by teams within the company.
“This type of information, which can be personal and sensitive, often falls outside of other privacy and security controls,” says Darren Wray, head of Guardum’s privacy solutions at DFIN and author of The Little Book of GDPR: Towards Compliance.
#5 – Think about business processes and employee awareness
Auditing isn’t just about the data itself: Organizations should consider business processes and employee awareness of compliance and privacy issues, says Wray.
Education is a key factor, he says. “Make sure there is a process to raise employee awareness and that all employees – including the leadership team – go through the training.”
#6 – Focus on approval
Obtaining consent is absolutely critical to handling data and ensuring compliance. Active and ongoing consent is key to GDPR compliance, but simply using cookies to manage toast confirmations “isn’t enough,” says Russell Howe, VP EMEA, Ketch. “Instead, you need clear, contextual consent mechanisms that allow users to understand and control exactly what data is collected and how it is controlled.”
Organizations need to determine whether the company has legitimate grounds for processing the data, Akhtar says. “You also need to show how you get consent from customers to use their data.”
Organizations need to be able to demonstrate how consumers can access their data when making a request for access. At the same time, companies should be able to demonstrate compliance with subjects’ right to have their data erased, says Akhtar.
#7 – Document everything
Organizations need to make sure they document everything. This offers you the opportunity to prove your data protection credentials if required.
The GDPR requires “verifiable compliance,” says Howe. “Keeping clear records of how you handle data is critical when it comes to communicating with users and regulators. It also becomes a lot easier to reduce or waive penalties if you or your partners make a mistake.”
#8 – Data Security and Data Breaches
According to the GDPR, companies must be able to demonstrate the technical security features of the company, including how they protect data physically and digitally, how they secure it and how they anonymize it.
At the same time, organizations should be able to demonstrate that the organization has a robust incident response plan in place in the event of a data breach. “This includes notifying the authorities, documentation and insurance,” says Akhtar.
Clive Humby – Data can predict almost anything about running a business – Clive Humby, inventor of the Tesco Clubcard, on ways to stop feeling overwhelmed by data, how to convince your CEO of its importance and why data should be forward-looking, not backward-looking
How businesses can prepare for the Data Protection and Digital Information Act – With the Privacy and Digital Information Act currently under scrutiny in Parliament, Michael Paye, Vice President of Research and Development at Netwrix, explains how companies can fully prepare
Forget digital transformation: data transformation is what you need – Stefano Maifreni, Founder of Eggcelerate, explains why companies need to focus on data transformation to maximize long-term value