September 2017 - When structuring and implementing GDPR privacy audits, we have noticed a few red flags that should be thought through and addressed by each company from the early stages of the privacy audit. The following note includes the most frequent red flags encountered in the previous privacy audits that we have performed.
Data protection compliance may not have been the highest priority for many companies in recent years. However, as the General Data Protection Regulation (GDPR) comes into effect on 25 May 2018 and imposes significantly increased duties on both data controllers and data processors (including extremely large fines for various breaches), an increasing number of companies understand the importance of a review of their current procedures and related documentation and, where necessary, plan for changes to be made in order to be GDPR compliant.
We have broad experience with such data privacy audits, and we have identified below the most frequent red flags that we have encountered within our experience.
- Identification of all data flows and data storage – companies (or persons within such companies) often do not have a full picture of all data processing within the organisation. In order to be GDPR compliant, a company needs to know exactly where its data is located, where it may flow and who may have access to it – both internally (e.g. within the group) or third-party data processors. It is essential to identify and hold interviews with relevant individuals from multiple departments in order to obtain this information. As these people are generally not familiar with data privacy, it is very important to first properly explain to them what is meant by the term “personal data” and “data processing” to get the desired outcome
- Clarification of legal basis for data processing – personal data can only be held and processed for lawful purposes. It is of a vital importance for a company (or the responsible individuals) to identify such legal basis for data processing and have in place the related documentation. This includes mainly consents for data processing, privacy notices, and privacy policies, all of which needs to be identified, reviewed and, where necessary, amended in order to be GDPR compliant (especially given the new, restrictive approach taken by the GDPR on consent obtained for data processing).
- Notifications/Registrations – companies are very often not aware of the fact that they must provide a certain amount of data processing details not only to data subjects, but also to the relevant national data protection authority. Once the GDPR becomes effective, the obligation towards the local data protection authority will most likely cease to exist, but companies will have to notify the local authorities of various data breaches.
- Internal policies and procedures – compliance with various requirements set out by the GDPR often requires for the company to have in place various policies and procedures relating to the processing of personal data, e.g. data security, notification of data breaches, data retention, and access to personal data. This is especially important within large international organisations. It should be a priority for a company to ensure that up-to-date policies and procedures are in place.
- Legal basis for using data processors – when using a third-party data processor, a company must enter into a so-called “data processing agreement” with such data processor. Under the GDPR, there are significantly more requirements that must be included in such data processing agreements and, therefore, it should be assessed whether current agreements are in compliance with the GDPR, especially when data is transferred outside the European Union.
It is advisable to carry out a data audit during 2017, to ensure time in 2018 for the implementation of any required measures resulting from the audit. Such implementation measures may be of a legal nature (as described above). However, it could also involve the need to upgrade IT systems and therefore may require additional time and resources.