GDPR Audit: Everything You Need to Know
GDPR audit is the auditing process that is conducted for the GDPR, more commonly known as the General Data Protection Regulation.3 min read
GDPR audit is the auditing process that is conducted for the GDPR, more commonly known as the General Data Protection Regulation. This brand new regulation, which will be enforced on or about May 2018, provides a set of consumer data privacy regulation that identifies guidelines for companies located throughout the European Union (EU) as well as those located outside of the EU that offer goods or services to EU citizens. Therefore, many U.S. companies will likely need to abide by such regulations. If businesses fail to abide by the regulations set forth in the GDPR, then they could face significant fines.
Since businesses are rushing to get up-to-date on these new regulations, it is estimated the companies in Europe will hire as much as 28,000 data protection officers (DPOs), which is one of the requirements of the new rule. Not only will companies see an influx of new hires, but other business items that will see significant change include:
- The business’s overall policies and procedures
- Marketing for businesses
- Vendor contracts
- All customer transactions
That is why it is incredibly important to have a highly knowledgeable internal audit staff who can help assess compliance and legal issues that might arise before and after the rules take effect.
Conduct a GDPR Audit
Before the GDPR rules go live, you should have your internal audit team conduct an audit to ensure that all data being held, i.e. consumer name, address, etc., is stored properly. In order to do this, you can keep a data flow chart, which identified the locations where all personal data is being hosted, both in and outside of the organization.
If you conduct an audit, you will have the ability to:
- Understand why and how personal data is being collected
- Fully understand how personal data flows in and out of the business
- Improve the data lifecycle
- Properly classify your data
- Decide how long the data will be stored, and under what other potential circumstances can it be deleted
- Delete the personal data, and where it goes once it is deleted
- Reduce privacy risks and data breaches
- Improve efficiencies in the event that a breach does take place
- Have a plan to mitigate the risk as soon as a breach takes place
You should also make sure that your data flow chart identifies where the personal data exists within the network infrastructure and servers, along with data exit points such as firewalls and printers. You will also need to ensure that there is a formal process in place for removing personal data. And when you do collect data, you’ll need to ensure your business knows every way in which data is collected. This includes information collected over the phone, in person, on the company website, via the mobile app, and other third party ways in which the information can be collected. A prime example of this could be a retail store.
For example, if you think about a popular clothing store, there are many ways in which your information can be collected and stored. You could visit the store in person and make a purchase. You can also purchase clothing on the store’ website. You might also contact the store on the phone to ask a question, at which point additional information is usually collected regarding your previous order. What’s more, the store could provide some sort of a mobile app making it easier to purchase items. All of these avenues are ways for the retail store to collect your personal data.
Your business should know of all ways in which this information is collected, and if such information is stored in a different server, i.e. collecting the information via online vs. in store.
If you need help learning more about conducting an internal GDPR audit, you can post your legal need on UpCounsel’s marketplace. UpCounsel accepts only the top 5 percent of lawyers to its site. Lawyers on UpCounsel come from law schools such as Harvard Law and Yale Law and average 14 years of legal experience, including work with or on behalf of companies like Google, Stripe, and Twilio.
Interested in learning more about GDPR compliance?
Download UpCounsel's free GDPR Compliance Whitepaper and learn the tools you need to put your company on the path to compliance. Included is a list of 10 practical steps to help organize efforts on GDPR, develop a compliance plan, and mitigate risk.