- Business Advice
Peninsula Group, HR and Health & Safety Experts
(Last updated )
Peninsula Group, HR and Health & Safety Experts
(Last updated )
Jump to section:
As an employer, you may have to store personal data within your company. This is typically the private details of your customers, clients or employees. Even someone visiting your website can provide you with their personal information, so you must keep it safe at all times.
Failure to do so can lead to a large data breach, which can mean a loss of customers and heavy fines to pay. So it's vital you carry out a GDPR audit to ensure this doesn't happen in your company.
In this guide, we'll discuss what GDPR audit is, what's covered by them, and the benefits of carrying one out.
General data protection regulation (GDPR) is legislation that outlines data protection laws.
The regulations ensure companies who collect personal data, store and process them legally. This is usually on customers or clients within the business. So you need to be aware of what sort of customer data is protected by this legislation.
If you're a controller and have means of processing personal data, then GDPR applies to you. A controller is a person who makes decisions regarding the personal data of your customers or clients.
If your organisation collects or stores personal data of any type from UK or EU citizens, you need to comply. This includes:
The regulations brought in new rights for individuals whose data is being stored. This includes the right to erasure, the right to restrict processing, and the right to request the transfer of data to another controller (data portability).
To ensure you're doing all you can to protect personal data, you need to understand the essential terms that surround GDPR.
So, let's discuss them in more detail:
Personal data is any information that is related to a person (a data subject) and not a company. This form of data is made up of several pieces of different information, that when put together can identify a specific person.
Sensitive personal data is a special type of data which are subject to additional safeguards. For example, health-related data.
To store this kind of data, you must need a lawful basis and separate condition for processing special category data
Data processing is any activity or operation that is carried out to do with personal data. This is arguably the most important part of GDPR as the wrong processing can cause a data breach.
You need to make sure your processing of personal data is lawful.
Under UK GDPR, companies are obliged to regularly check they comply with the regulations. This involves looking for potential risks, and finding how they can be reduced. Carrying out an audit is the best way of doing this.
A GDPR compliance audit is a full examination and independent assessment of a company's data handling. They help to implement the following regulations:
Conducting an audit is a good foundation for a company to organise its data protection compliance.
No, GDPR audits aren't a legal requirement in the UK. However, it's good practice to take the legalities surrounding data security seriously.
If a claim is raised against you following a data leak in the future, carrying out an audit will support you.
A GDPR audit is the only way you can be sure that your business is compliant with the regulations. You must have a lawful basis for each processing activity involved. An audit will help you demonstrate it.
The audit will help establish the following:
As an employer, you must have a lawful basis for storing personal data. And, carrying out a data audit will help you pinpoint what changes are needed to make GDPR compliance easier. You must take a risk-based approach to all your data handling.
There are many benefits that conducting a GDPR audit can bring to your company. So as an employer, you need to be familiar with them:
You also need to understand when you need to carry out an audit in your company.
If your business handles data for a specific purpose and needs to follow GDPR rules, then an audit is critically important. There are six key areas a GDPR audit covers in data protection.
The six data protection principles are as follows:
As an employer, you need to understand how to carry out an audit within your company. You must ensure compliance with data protection at all times.
Although there's no specific way an audit should be carried out, you should aim to cover everything to do with data protection.
The following is a GDPR compliance audit checklist that includes the areas that you should cover.
You must take a risk-based approach to your audit. This includes implementing appropriate technical and organisational measures to protect personal data, which involves conducting a DPIA.
DPIA stands for data protection impact assessment. They are a type of risk assessment that helps to identify the risk and effects of processing data incorrectly. For example, a large data breach can lead to the leakage of customers' personal data, along with reputational damages.
A GDPR compliance project needs the support of everyone in the company. Without the whole company's support and backing, it's difficult for you to comply with regulations.
An audit will help determine the size of the project to see if it's realistic and achievable for your company.
The regulations require the appointment of a data protection officer (DPO) if the following criteria are met:
It's good practice to appoint a DPO even if your company doesn't fit any of the above criteria.
The DPO should be an expert on all things data protection. Their job is to constantly monitor GDPR compliance, assess data protection risks, and advise you on data protection impact assessments.
The audit allows you to fully examine all your roles and responsibilities to do with GDPR. This includes training, any measures put in place, as well as the effectiveness of your onboarding and offboarding processes.
This may highlight any changes that need to be made.
The audit helps to establish each process that involves personal data, and whether the processes you have in place are legal. You should maintain records of all processing activities, doing so can prove crucial in the future.
The analysis must be thorough and examine every process to do with personal data.
An audit will help you to create the correct data protection documents needed to reduce the potential risk of data breaches. How many you require will depend on the size of your company. This documentation will include:
This can be done via a Private security management system (PIMs). PIMs are aligned with IS0 27701, which specifies the requirements for a PIMs.
You must implement security measures to protect personal data, this is done via an information security management system (ISMS).
An ISMS should include a review of the methods for testing your data security, established cyber security, standards and codes of practice. ISMS requirements are stated within ISO 27001:2013.
Throughout the audit, you must remember the rights of the people whose data you're storing. Your processes and security measures must ensure you're following the below:
In essence, a customer has the final say on what happens to any of their data.
You need to be aware of who can carry out a data audit in your company. Anyone who has appropriate knowledge or experience can carry out these audits.
These tend to be data protection officers, data protection coordinators, or IT security officers. You can choose to appoint in-house staff or external providers.
It's a legal requirement to abide by the regulations, non-compliance can lead to serious legal trouble for your business. Companies that don't abide by GDPR regulations or suffer a data breach, can be hit with extremely heavy fines.
So conducting an audit can help protect yourself against future data breaches, whether by mistake or intentionally.
You must be able to demonstrate compliance if required. All employers should provide staff awareness training regarding data protection. This training should make your employees aware of how to avoid a data breach, and what can potentially happen if it occurs in your company.
A data breach is when personal data is stolen, taken without your knowledge, lost or disclosed by accident.
If you become aware of a possible breach within your company, you need to take immediate action. Firstly, you need to assess what type of breaches you're facing as well as the potential risks. These can range from financial loss to discrimination.
You're required to make the Information Commissioners Office (ICO) aware of the breach, withing 72 hours where feasible. You must also share the following information:
As an employer, you may have to store the personal data of your clients and customers. This can range from their contact, employment, or health details. Even someone visiting your website can provide you with their information, and you're responsible for keeping that data safe.
Failure to do so can lead to a large data breach, which can mean a loss of customers, and heavy fines to pay. So it's vital you carry out and GDPR audit to ensure this doesn't happen in your company.
Peninsula offers you expert 24/7 HR advice and support, helping you to protect your employees personal data Contact us on 0800 029 4392
See for yourself why Peninsula is the UK’s favourite HR and health & safety provider. Tap below to unlock free advice, policies, e-learning, and more.