The legal experts at DPP GPDR can provide valuable help and advice before and after a GDPR audit. Call us today on 0333 200 5859.
It may be necessary for the ICO to carry out an audit to assess your approach to GDPR and data protection issues.
New European data protection regulations – GDPR, by another name – were implemented in May 2018.
This acronym stands for “General Data Protection Regulation”. The legislation states that all businesses that process or hold personal data must follow guidelines to protect it.
To help organisations ensure they comply, it is possible to arrange data protection compliance audits.
The audits are carried out by the ICO (Information Commissioner’s Office) – the official body that regulates GDPR and data protection in the UK.
A variety of different outcomes are possible. When carried out in relation to your company, an audit may find that there is:
- High assurance that you are delivering full data protection compliance
- Reasonable assurance of this
- Limited assurance
- Very limited assurance
- Depending on their findings, you may need to make basic, moderate or major changes to your practices. If you do not take their advice, you’ll risk being inspected for failure to adhere to GDPR or the Data Protection Act 1998.
If you would like our solicitors to help you to prepare for a GDPR audit, make the required changes afterwards or appeal the outcome, contact us today on 0333 200 5859
Why audits are necessary for businesses
Most organisations use data to some degree – from the contact and payroll information of their staff to the email addresses of their clients.
An audit can help you to discover how you may prevent data breaches – whereby unauthorised people may access personal information. It will also highlight any gaps in your current GDPR compliance.
Specialists from the ICO will attend your place of work, speak to relevant staff members and analyse your processes. They’ll then give you valuable advice on how to guard against any breach of data protection that may lead to fines or prosecution.
Putting this advice into practice will allow you to keep all your collected data secure. It will also help you to ensure your handling of data is undertaken legally.
How our GDPR solicitors can help
Our solicitors can examine your practices and offer advice before the ICO visit your place of work.
We’ll look into:
- Your approach to processing data
- How you manage the risks associated with storing or processing data
- The way your staff work together to meet the requirements of GDPR
- How well your employees understand their privacy-related responsibilities
- The activities and approach of your Data Protection Officer
- Whether your processes, activities and databases uphold the same level of compliance across the board
- The quality of the records you keep and the analyses you perform of all data-related activities
- The quality and scope of all documentation relating to GDPR
- All approaches you have taken to ensure the security of the data you collect
- How well you uphold all eight data subject rights
Data subject rights include:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision-making and profiling
We’ll also advise you on the best way to undertake particular duties, including Subject Access Requests.
As well as this, our data protection solicitors can provide legal advice on:
- GDPR Compliance
- GDPR Appeals
- Internal Investigations
- Data Protection Contracts
- Contract Law
- GDPR HR Support
- Technology Law
- Dealing with Data Breaches
What does an audit normally cover?
If the Information Commissioner’s Office undertakes an audit for your company, you should expect them to examine:
- Your general approach to GDPR and your standard of accountability
- The specific policies and processes you have put in place
- The systems you adhere to when responding to Subject Access Requests
- All means by which you share data with third parties
- Your practical approaches to data security
- How you train and educate staff about data protection
What happens after a GDPR audit?
Following an ICO audit, you will be expected to make all required changes to maintain proper GDPR compliance.
Remember: there will usually be a follow-up review around half a year after the original audit. You should aim to implement as many changes as you can before that time.
We recommend that you:
- Examine the auditors’ comments closely
- Seek advice from legal experts if changes are to be made
- Amend or update any policies or approaches that have been flagged as insufficient or out of date
- Run through the data subject rights listed above and ensure that you are upholding each
- Ensure you have a full procedure in place for handling data breaches
- The auditors may suggest changes to your approach to Subject Access Requests, data security, data transfer or any other matter.
- Appoint a data protection officer if you have not yet done so
- Implement data sharing safeguard policies and undertake data privacy impact assessments
Frequently asked questions about data protection audits
How does the ICO conduct an audit?
If you are able to arrange an audit with the ICO, you’ll agree to the steps they’ll take before they pay their first visit.
They will then do the following:
- Research and review all of your data protection policies and procedures
- Talk to relevant members of staff
- Examine data relating to your activities surrounding GDPR
- Run tests both off and on site
- Visit all relevant parts of your business to check that your approaches are working well in practice
- Create an in-depth report and a basic summary of the audit. The first will be given to you so that you can make any specified changes. The second will be published on the ICO website
How long does a GDPR audit take?
This depends on the size and complexity of your company. Usually, they will visit your company in person over no more than three days and the final reports will be with you within 30 working days.
How long is data stored following a GDPR audit?
GDPR legislation states that data can only be retained as long as it is being used in the way for which it was originally collected.
The ICO will need details of your original audit to inform their review after six months. Furthermore, a summary of your audit will be available on the ICO’s website for a year. They will retain information about your company at least until that is removed.
If there are follow-up inspections or you face a penalty for non-compliance, the ICO may keep your data until those matters are resolved.