GDPR audits and implementation

GDPR Audits

GDPR audits are performed to verify the actual level of personal data protection and to evaluate how an organization is prepared for implementation of General Data Protection Regulation (GDPR) requirements.

Why audit?

Personal data is processed in companies all the time. But do we know where we obtain it from? Do we have an appropriate legal basis for its processing (consent, legal provision, contract, etc.)? Have we complied with the so called information obligation with regard to our customers (i.e. have we provided clear and complete information about the circumstances of the data processing, e.g. purpose, source, storage period, recipients of the data)? Do our marketing or sales departments have control over the personal data collected? Is data deleted when we no longer need it? Only an efficiently conducted audit will allow us to answer the above questions!

During the audit we will:

• determine the information to which GDPR regulations are applicable
• determine the role of personal data processing entities (controller, joint controller, processor, sub-processor)
• verify the legal basis for data processing (we will check if the processes performed by our clients are legitimate in the light of GDPR)
• review the consent clauses 
• review the mandatory information clauses 
• analyze the  personal data processing agreements (DPA)
• determine the procedures of data subjects access requests (e.g. data access rights performed by data subjects)
• determine the procedures of controller/processor’s responsibilities (e.g. notification about data breach)
• analyze technical (IT-related, physical) and organizational measures  dedicated to keep data secure, in terms of compliance with GDPR regulations

Audit report

The final result of pre-implementation audit is the report which identifies and describes inconsistencies with GDPR (including law violations), provides proofs of the inconsistencies and recommendations on how to eliminate them.

In addition, in the report we indicate what actions need to be taken to achieve compliance with GDPR. In particular, we will:

• evaluate whether data protection impact assessment is required and indicate how to handle this process, if needed
• determine the conditions of Data Protection Officer (DPO) designation, if necessary
• establish the customer’s area of responsibilities in accordance to GDPR regulations
• present our recommendations on how to adapt IT environment to GDPR requirements

GDPR Implementation

GDPR implementation covers two steps:

• implementation of GDPR requirements in data processing processes
• adjustment of IT environment

Within the data processing processes adjustment the client will receive the documents covering the comprehensive data protection policy (the final scope depends on results of the audit and risk assessment), including:

• methodology of risk assessment and conducted risk assessment
• personal data protection impact assessment
• procedure of cooperation with third parties including development of a new draft of data processing agreement and implementation of internal regulations solutions in order to demonstrate that the obligation of processor's prior verification was fulfilled properly
• record of personal data processing activities
• record of categories of personal data processing activities
• procedure of cooperation with supervisory authority and reporting data breaches
• clauses dedicated to personal data collection, including mandatory information clauses
• position and responsibilities of Data Protection Officer (DPO)
• procedure for consideration of data subjects requests 
• policy for IT systems development process that includes implementation of privacy by design and privacy by default principles
• description of prior consultation with President of Personal Data Protection Office, if required
• selection of applicable transfer mechanisms in the event of personal data transfers to third countries or international organizations.

To adapt the IT environment, the client will be provided with recommendations on, among other things, user and privilege management procedures, backup and recovery plans, handling security incidents.

We can extend this service to include proposals for the implementation of useful IT tools that would support compliance with the GDPR requirements for IT security, specifically:

• an information classification system
• a system to prevent information leakage (DLP)
• a security-related information and event management platform (SIEM)

Data discovery and mapping the processes

If you are interested in developing a map of your data processes, we can do this for you having conducted first a data discovery audit, when we examine in particular:

• what personal data processes are carried out by the client and what is the status of the client in relation to the processed data (data controller, joint controller, processor)
• what legal basis applies to the processing of personal data in a given process
• which IT systems are used for data processing
• what are the locations of personal data processing
• which internal units/departments have access to personal data within the given process
• what is the scale of access of third parties to the processed data and what entities are involved
• which rights are vested in the persons whose data are processed in a particular process
• applied organisational and procedural measures (implemented security policies, document flow procedures, etc.)
• applied technical measures (the way of securing resources on workstations, laptops, servers, etc.)
• other elements with an impact on data protection

As part of documenting data discovery for each inventoried process, we can prepare a map of a process. We illustrate the 'life' of personal data in a given process in a clear, graphic way. All relevant process elements are aggregated in the form of a single map, so that even after an audit, the people involved in the process will be able to find the key information easily. The process map also plays an extremely important role in monitoring the changes that occur in a process. Each such change can be transparently entered into the map, which is a useful tool in documenting modifications and having up-to-date information.

The important element of GDPR implementation is people

It is crucial to remember that GDPR is not just about documents. The people who work with personal data in a company should be considered as the same important. Unfortunately, the human factor is the most common reason for breaches. Therefore, in addition to implementing appropriate procedures and IT safeguards, all employees must be trained. For this purpose, we provide:

• online training,
• on-site training,
• concise and clear materials for employees,
• infographics,
• monitoring of the latest news, decisions and rulings - including those of foreign data protection authorities.

What if GDPR is not all?

Clearly, 'paper' implementation of the GDPR alone is not sufficient to actually protect personal data. The GDPR contains general statements that safeguards must be appropriate to the risks, and transferring them to paper in the form of documentation is only a certain part of the way to success in the real implementation of the GDPR. The GDPR, with its general assumptions about safeguards, is technologically neutral and, by lacking detailed guidance, should not get old quickly. The pitfall of such a legislative solution is, unfortunately, the great unknown during implementing GDPR. In the end, there is no reference whether we are doing something right or wrong. One can look to other standards, such as ISO, for help. This is why we have ISO 27001 certified Information Security Management System auditors on our team. The ISO 27000 series standards are some of the most important, widely accepted documents presenting the state of the art in the application of security measures and security management. The Polish Data Protection Authority also recommends taking them into account.

When analysing data protection breaches, you can follow the recommendations of the European Union Agency for Cybersecurity (ENISA). However, we hope that there are no security risks in your organisation, but if there were - we are prepared to provide you with a breach analysis at any time.

We offer our assistance with the implementation of GDPR

Experienced iSecure specialists will help you with both the audit and the adaptation of documentation, websites or IT systems, as well as the training of your employees.

With us, nothing is impossible, and proper implementation of GDPR in your organisation will give you peace of mind and minimise the risk of penalties or claims for damages for inappropriate processing of personal data.