Note: This is the seventh of an ongoing series on GDPR. We’ll be preparing you all the way to May 2018 on topics like: Privacy Protection and Breach Notification, GDPR Compliance Strategies, GDPR Enforcement and Penalties, Potential GDPR Costs, GDPR Auditing and more. Subscribe using the button on the right and you’ll be updated when we post a new article.
Today we will discuss auditing for GDPR. Auditing can be looked at in a couple perspectives; auditing done in preparation for GDPR and auditing performed after to confirm compliance. Either way – auditing will play a large role in any GDPR program.
A major part of preparing for GDPR is knowing what data an organization has, where the data is located, and how that data is transmitted, processed and — most importantly — how it is secured. The amount of data that companies process has only grown over time. Now with the advent of cloud technologies it is ever more important to perform audits to uncover what data is maintained and where the data is; i.e. authorized or unauthorized cloud services.
When assessing whether or not the company’s data is ready for GDPR compliance, some key points to grapple with are: what is the level of encryption of stored data, who has access to the data, what data center certifications are present and whether Personally Identifiable Information (PII) is shared with third parties. Another insight provided by auditing (especially in cloud data environments) is whether a Data Processing Agreement (DPA) is in place with the third party. This is required by GDPR.
Auditing to remain compliant once GDPR is being enforced brings about a discussion of Data Protection Authorities (DPA). DPAs will be appointed in every member state of the EU. They are tasked with enforcing the GDPR within their member state. The broad tasks they are charged with are hearing and addressing claims of breaches brought forth by data subjects, the citizens.
They will also monitor businesses and organizations that process or maintain the data. If a DPA suspect any breaches, they can initiate investigations into the breaches. The DPAs also establish the requirements for impact assessments. Any organization that is subject to GDPR will benefit greatly by maintaining awareness of the DPA that is enforcing GDPR that affects them. It could provide insight into what needs to be audited, in order to ensure compliance.
As with many of the topics related to GDPR, the specifics of how it will be enforced across EU Member States can be vague at times. Unfortunately it seems that many experts don’t know how or what to expect until the GDPR becomes effective in May 2018. However, what is extremely clear is that preparing for GDPR enforcement or remaining compliant will require robust auditing activities. Auditing the technology and the processes needs to be an ongoing effort for businesses as we move forward with GDPR.