Since the implementation of the General Data Protection Regulation (GDPR) in 2018, technology has advanced and practices have evolved. Artificial Intelligence (AI), cloud computing, and remote working have all completely reshaped the data landscape. As a result, data protection accountability tools, processes, and historical audits may no longer be up to date.
Developments in AI in particular have significantly changed the data protection compliance landscape. AI systems process data differently – depending on the type of AI used they learn, adapt, and make decisions autonomously. When AI tools are introduced into working processes, existing registers of processing may not cover its nuances and frameworks may need to be adapted to reflect these new technologies.
Many organisations carried out data protection audits for the first time as part of their GDPR compliance review, but compliance is not a static thing. Ensuring compliance with the GDPR is crucial for businesses and organisations, and conducting regular data audits is an essential part of this process.
Conducting data audits helps organisations to identify and address vulnerabilities, and mitigate risks of any personal data bring misused, unlawfully accessed, or lost. While UK based businesses are now subject to the UK GDPR rather than the GDPR, the requirements remain broadly the same.
What is a data audit?
A data audit is a systematic examination of an organisation’s data processing practices to ensure compliance with data protection laws.
The process requires mapping out how the organisation processes personal data from the moment data is received, through to deletion or destruction. It involves meticulously examining an organisation’s data practices to ensure alignment with legal requirements.
Organisations are required to keep a record of processing activities (RoPA) for certain data, and this auditing process will provide the information that needs to be recorded and is required to meet other data protection compliance obligations. If the Information Commissioner’s Office undertakes any review of an organisation’s practices and procedures, the RoPA will be a key review element as it should demonstrate how data is processed within an organisation.
What does a data audit involve?
The first part of the process is to gather information about your organisation’s use of personal data, usually done by way of a mapping questionnaire. This will gather insights from stakeholders by asking questions such as:
- what type of data is held;
- how is the data collected;
- where is the data used;
- who has access to the data;
- will the data be shared with other organisations; and
- how long will the data be held before being deleted from the organisation.
Following the mapping questionnaire process, the next stage is to assess the results and ensure that your RoPA reflects these results. This will also require a review of what the legal basis is for the data processing you are carrying out.
The GDPR/ UK GDPR requires that you can justify your processing by reference to one of a number of legal bases, such as:
- necessity of processing for a contract you have entered into with the individual whose data you are processing;
- you have identified a legitimate interest; or
- you have obtained valid consent.
These bases are set out in Article 6 of the GDPR/ UK GDPR or, where special category or criminal records data is processed, Articles 9/ 10. In the case of the UK, further information about processing of special category data can be found in the Data Protection Act 2018. Another key issue to address at this stage is retention: how long is information being held for and is destruction/ deletion actually taking place?
If data is being processed based on consent, part of the audit should also be an evaluation of the consent mechanism used when obtaining consent for processing personal data. It will be important to look at what records of consent are in place, whether there is appropriate evidence, and whether re-consenting is needed.
If your organisation is sharing personal data with any third parties, such as suppliers or contractors, they should be included in the audit review. It is important to identify whether those third parties are acting as processors or controllers as the obligations placed upon them, when it comes to handling your organisation’s personal data, will differ.
You should check to make sure that the third party’s privacy notice is available and accessible to your organisation’s employees whose data is being processed by that organisation. Relevant here is the question of international transfers – it is important to identify where information is being transferred overseas and the basis on which that is being done. It may be necessary to put in place documentation to regulate that transfer.
The final stage is to review internal policies and procedures and evaluate compliance to relevant laws and regulations. Privacy notices will need to be updated as well as other related policies, such as data protection, retention, and dealing with requests from data subjects to exercise their rights.
Crucial to the implementation of these policies and procedures is ensuring adequate staff training. Your staff must be trained to handle personal data in an appropriate manner to hopefully reduce the risk of data breaches occurring. Regulators will also look at your staff training regimes where there has been a breach to check that there has been appropriate training.
Remember, data audits are never static — they evolve alongside technology and practice changes. Processes should be put in place to ensure regular reviews.
How can we help you?
Shepherd and Wedderburn provide expert guidance on data audits by customising audit processes to your needs. We have the experience to know how to scope the project with you, ensuring that key business areas are identified and results produced in an effective manner, while identifying gaps and agreeing priorities for future compliance.
To find out how we can help your organisation comply with data protection laws, contact Partner Joanna Boag-Thomson here.