GDPR audits are performed to verify the actual level of personal data protection and to evaluate how an organization is prepared for implementation of General Data Protection Regulation (GDPR) requirements.
Why audit?
Personal data is processed in companies all the time. But do we know where we obtain it from? Do we have an appropriate legal basis for its processing (consent, legal provision, contract, etc.)? Have we complied with the so called information obligation with regard to our customers (i.e. have we provided clear and complete information about the circumstances of the data processing, e.g. purpose, source, storage period, recipients of the data)? Do our marketing or sales departments have control over the personal data collected? Is data deleted when we no longer need it? Only an efficiently conducted audit will allow us to answer the above questions!
The final result of pre-implementation audit is the report which identifies and describes inconsistencies with GDPR (including law violations), provides proofs of the inconsistencies and recommendations on how to eliminate them.
In addition, in the report we indicate what actions need to be taken to achieve compliance with GDPR. In particular, we will:
GDPR implementation covers two steps:
Within the data processing processes adjustment the client will receive the documents covering the comprehensive data protection policy (the final scope depends on results of the audit and risk assessment), including:
To adapt the IT environment, the client will be provided with recommendations on, among other things, user and privilege management procedures, backup and recovery plans, handling security incidents.
We can extend this service to include proposals for the implementation of useful IT tools that would support compliance with the GDPR requirements for IT security, specifically:
If you are interested in developing a map of your data processes, we can do this for you having conducted first a data discovery audit, when we examine in particular:
As part of documenting data discovery for each inventoried process, we can prepare a map of a process. We illustrate the 'life' of personal data in a given process in a clear, graphic way. All relevant process elements are aggregated in the form of a single map, so that even after an audit, the people involved in the process will be able to find the key information easily. The process map also plays an extremely important role in monitoring the changes that occur in a process. Each such change can be transparently entered into the map, which is a useful tool in documenting modifications and having up-to-date information.
It is crucial to remember that GDPR is not just about documents. The people who work with personal data in a company should be considered as the same important. Unfortunately, the human factor is the most common reason for breaches. Therefore, in addition to implementing appropriate procedures and IT safeguards, all employees must be trained. For this purpose, we provide:
Clearly, 'paper' implementation of the GDPR alone is not sufficient to actually protect personal data. The GDPR contains general statements that safeguards must be appropriate to the risks, and transferring them to paper in the form of documentation is only a certain part of the way to success in the real implementation of the GDPR. The GDPR, with its general assumptions about safeguards, is technologically neutral and, by lacking detailed guidance, should not get old quickly. The pitfall of such a legislative solution is, unfortunately, the great unknown during implementing GDPR. In the end, there is no reference whether we are doing something right or wrong. One can look to other standards, such as ISO, for help. This is why we have ISO 27001 certified Information Security Management System auditors on our team. The ISO 27000 series standards are some of the most important, widely accepted documents presenting the state of the art in the application of security measures and security management. The Polish Data Protection Authority also recommends taking them into account.
When analysing data protection breaches, you can follow the recommendations of the European Union Agency for Cybersecurity (ENISA). However, we hope that there are no security risks in your organisation, but if there were - we are prepared to provide you with a breach analysis at any time.
We offer our assistance with the implementation of GDPR
Experienced iSecure specialists will help you with both the audit and the adaptation of documentation, websites or IT systems, as well as the training of your employees.
With us, nothing is impossible, and proper implementation of GDPR in your organisation will give you peace of mind and minimise the risk of penalties or claims for damages for inappropriate processing of personal data.