GDPR ON-SITE AUDITS
Let us check your compliance.
DPAS now offer the service of performing a GDPR and Data Protection Audit on your school or authority.
OVERVIEW OF OUR AUDIT
Our Data Protection Audit can assist in ensuring that all functions within an organisation are compliant in line with the General Data Protection Regulation (GDPR). The law requires you to demonstrate compliance and we have designed our audit product to mirror the one the regulator would use when you are being investigated for a data breach.
The audit and subsequent report can be used by your organisation to target your resources to key areas of compliance and data security.
The tools by which we audit are an effective way of collating information on key business processes, policies and systems and highlighting areas for improvement or where there may be issues within your organisation. The initial discovery comprises of sectioning key functional business areas into a number of subsections – those which are audited by the ICO. These sections are then scored depending on the level of compliance currently achieved (these scores are weighted). From this discovery piece we can then provide you with a report containing the information collected and heat maps per organisational department. The heat maps and charts indicate the more urgent areas but will still list areas for improvement which are less high risk.
Both the heat maps and full report are beneficial in determining areas for focus and areas which are fully compliant. Dependent upon any gaps your organisation has, Data Privacy Advisory Service can provide further services around solutions and remediation plans where policies and procedures may be absent.
The scope of the audit will be structured into the sections which the ICO have published are in their official audit. These are:
Governance and accountability
Training and awareness
Security of personal data
Subject access and data portability
Information Risk Assessment (DPIA) and Management
Freedom of Information (FOI)
Within each of these sections, we will pose several questions to your organisation including questions about the processes, capabilities, policies and systems that you have in place. The aim of the audit is to fully encompass all areas within an organisation and identify gaps. A full scope is necessary in order to provide an incremental approach towards complete compliance in terms of data protection.
1. Phone Interviews
Interview key personnel to complete our Audit Compliance Tracker to determine the first stage current level of compliance within the organisation and highlight immediate gaps.
2. Offsite Checks
Carry out offsite high-level review of current documented procedures and policies and a list of systems in place. This is so that these can be discussed in full during the onsite assessment and initial risks can be identified beforehand.
3. Onsite assessment
During the audit, our tool will be completed by assessing the risk behind structured sections with relevant stakeholders – these mirror those with the Information Commissioners Office (ICO) would review during their own audit. As good data protection requires a culture to be adopted by an entire organisation, it is important that we assist in encouraging an ‘amnesty culture’ whilst onsite. Employees must be truthful in relaying current ways of working to guarantee that any risks can be identified and therefore remediation plans put in place.
Once the onsite assessment is complete, we will produce an in-depth report highlighting all areas raised as a risk. This will additionally be translated into graphs and charts to highlight areas of higher risk and aid in prioritisation moving forward – each section will be scored by the weightings of the questions within the auditing tool. Dependant upon what risks are found, DPAS can provide further support and services in moving towards 100% compliance against the report produced. The graphs and charts within the audit tool will allow a visual representation of your status of compliance as steps are put in place. For example, areas which were previously red and require ‘major work’ may turn to blue ‘compliant’ if the suggestions DPAS make are actioned.
WHY USE DPAS FOR YOUR AUDIT?
With close to 20 years of data protection experience, we formed the Data Privacy Advisory Service to provide organisations with a pragmatic approach to data protection. We are not your average compliance company, driven simply by numbers and red-tape. We care about the organisations we work with, and the data that they hold on customers and employees. It is important to us that the services and products we provide are useful, accurate and clear.
Following working with a number of clients within different sectors, we are able to provide a strong understanding of best practices alongside the ICO’s guidelines. The tools which we have created are an efficient and effective way of moving towards compliance pragmatically.
BENEFITS OF HAVING AN AUDIT
We understand that organisations don’t always have a significant amount of time or resource to ensure compliance across departments. The timescale of our audit is 2 days in total including an offsite review, onsite assessment and the completion of the final report. After the onsite data discovery, we can produce a high-level report of your current state of compliance and key steps for improvement. The improvements will be advised on a priority basis – depending on which are higher risk.
An audit may highlight several aspects where your organisation is not currently compliant in regard to handing personal data. Data protection issues and risks can be identified through the series of questions with key stakeholders during the onsite assessment. Each section within the audit will be rated through our risk matrix, these areas can then be prioritised dependent upon the risks. This allows for the audit report to be specifically tailored to your organisation in particular, rather than a generic ‘ways of improvement’ report.
In addition to highlighting areas for improvement, an audit can raise awareness across an organisation of the change in culture that is required for compliance to the GDPR and general information and cyber security. The knowledge gained from an audit can then be transferred across departments.