Data protection audit in the organization

Bartlomiej Niezabitowski
Data protection audit in the organization
4 min.

Protecting personal data is not just about preparing the documentation required by law. What aspects of the company’s operations should be analyzed to assess the level of personal data protection?

The protection of personal data is not just about preparing the documentation required by law– it’s a continuous process that requires constant improvements, corrections, and education of employees and the management team. In order to be able to identify the aspects that require either to be corrected or prepared once again, it’s necessary and essential to carry out a compliance audit to verify if the requirements imposed by the law of personal data protection and information security are met. What’s important, an audit is not equivalent to the implementation of GDPR. A properly conducted audit will illustrate what and how personal data it’s processed in the organization. In consequence, we will be able to make decisions on the scope and manner of implementing an internal personal data protection system.

What should a data protection audit cover?

Firstly, the company has to conduct an audit of current activities and their implementation methods (if any) used in the organization. The basis for such an audit is an interview of employees from the various departments, where personal data is processed – HR, marketing, IT, accounting, etc. Personal data protection is work on a living organism, thus the most valuable information will be obtained from people who are in constant contact with it. During the examination of certain departments, it is possible to additionally check the authorizations to process personal data granted to employees by the personal data administrator. The next step is the so-called mapping of the personal data processing by determining the scope and categories of data processing operations, the purpose of data processing, the legal grounds, or whether they’re entrusted to third parties or transferred to other countries. Once the above issues have been established, it is possible to proceed to a review of the existing documentation for its completeness, timeliness, and correctness.

The basic components of the documentation are mainly information clauses, registers, and internal procedures (e.g. dealing with security incidents). An important step is to carry out detailed control of the areas where personal data is processed, during which the ways of storing personal data and securing its processing should be examined. It is a practical solution to not only verify, in parallel, the applications, devices, and IT systems used for data processing but also to determine how they’re secured.

If the organization runs its own website or online shop, the legality and security of processing obtained data (e.g. via the contact form) should be carefully verified in order to remain compliant with the information obligation, the privacy policy, the cookie policy, the encrypted connection with the use of an SSL certificate. At the same time, it is crucial to remember to analyze the content of the marketing consent used in newsletters, telemarketing, or mailing. If the company uses external providers in this respect, the relevant contracts should be reviewed for contractual provisions regarding data protection and the liability of the parties.

Most common gaps and mistakes in data protection

A precisely conducted audit will identify potential risks in personal data breaches and assess the likelihood of their occurrence. Some of the most common misconducts include granting unauthorized access to personal data, missing or incomplete personal data protection documentation and procedures, failure to encrypt or password-protect files containing data, or inconsistency of procedures with the current state.

Communicating vessels

In order to ensure the compliance of processing personal data with GDPR rules and internal regulations, it is necessary for each department to support a person responsible in the area of data processing. In particular, it is obligatory for the legal department to cooperate with all senior and junior managers, the IT department as well as the HR department, which plays a key role in planning education and increasing the awareness of employees regarding information security (planning and implementation of training, knowledge verification, etc.).

Audit and what’s next?

After each audit, it is useful to make a report containing a list of misconducts, and issues requiring improvement or change. The report should include recommendations for corrective measures, which should be shared with all those involved in the process. In order for a successful implementation of all post-audit recommendations, the next step should include assigning appropriate roles to the project participants and appointing a person responsible for coordinating the entire process within the established timeline.

Finally, it is worth appointing a Data Protection Officer (DPO) – in some cases, the appointment of a DPO is mandatory (Article 37. GDPR). However, even when there is no legal obligation for an entity to appoint a DPO, it is perceived as a very good practice to appoint one. It is desirable and well-appreciated by the Personal Data Protection Authority to select a person who will be in charge of supervising compliance with data protection legislation.

A perfect solution for the DPO

During performing his/her daily tasks, each DPO can use the GDPR Productive24 application. This solution allows DPO to securely and efficiently manage the area of personal data processing in your organization. The system is built with the use of Productive24 technology. Thus, it can be easily modified and adapted, as well as flexibly adjusted to both the needs of the enterprise and to all law changes. This solution ensures, for example:

  • Easy data access;
  • Notification system;
  • Authorization and requests management,
  • Risk management;
  • Registers related to the processing of personal data.

Personal data protection – the Deming cycle

As mentioned above, carrying out a data protection audit, providing necessary recommendations for improvements, and implementing them are just a part of data protection in an organization that do not necessarily guarantee peaceful night sleep for DPO. Considering the specificity of the issue, the management of personal data in an organization should be treated as a continuous process, which has to be constantly monitored and optimized. A key part of this process is a precise data protection audit conducted on a regular basis.