GDPR Guidance - Auditing for GDPR Compliance

There is a very wide range of possibilities here. Many large business and companies (“organisations”) may be quite advanced in their compliance with the Data Protection Act. This will help, but it does not mean that achieving GDPR compliance will be easy. The larger structure means that the challenge may be greater than for the small standalone business with little knowledge of data protection. Whatever the situation, there will be strengths and weaknesses. You need to know what they are and work with them. If there is an area of weakness that is difficult to address, it is better that you document it and make a plan to address it as soon as possible, than that you pretend it does not exist.

1. This step has different stages: work out who is going to be responsible for reviewing practices and implementing changes.

Approval of policies will usually sit with the board of directors or management equivalent. Remember that what you have already will pre-date the GDPR and given the much greater emphasis on data protection compliance and the potentially huge fines for breaches, you may want to review how data protection will now be handled in your organisation, given the greater importance of the subject. Think about a working group for GDPR implementation. It is likely that the amount of work will be too much for one person. Think about what capacity is available and how you might improve that. Some of the work will be policy related and properly sit with the board, but there will be a large amount of ‘on the ground’ work best led by the COO or Business Manager.

You will need a designated Data Protection Officer. Having a DPO is going to be good practice, even when not strictly required. Further details about the DPO role are covered elsewhere. You at least need to be thinking about who the DPO will be.

2. Carry out a personal data audit in stages:

Remember that the GDPR is about personal data – i.e. about data which relates to an individual who can be identified from that information. The GDPR does not affect all the records the organisation holds, because much of it will not contain any personal data. It may be sensible to make your audit wider and clear out some of the papers/electronic files that have been hanging around since the myths of time, but bear in mind that if you are short on time or human resources, you should prioritise the items which are likely to contain personal data.

• What is the personal data? E.g. customer name and address
• Where does the organisation get it from?
• What does the organisation use it for?
• Is your organisation disclosing personal data to anyone else?
• What are you storing? Why? Do you really need it? Just storing personal data still counts as processing it – store it too long and without good reason and you are likely to be noncompliant.

This will help when you have to document the organisation’s processing activities. You will have to set out what the legal basis for processing is. The legal basis for processing means the legal justification for why you are processing the personal data e.g. because you need to collect it to comply with a legal obligation. This is covered in the template data protection policy.

• Do you disclose personal data to anybody else so that they can process it on your behalf?
  Do you have an external HR and payroll provider? Do you use software to help you process personal data ?
  
  If so, you should have a data processing agreement in place already, but under the GDPR, it will be compulsory to have such an agreement and there are requirements about what it must contain.
  
  Start conversations with your providers about GDPR compliance. Large providers may already have plans to provide GDPR compliant documents, but the responsibility is with the data controller i.e. usually the organisation, to make sure that a compliant agreement is in place. You will probably need legal advice on the changes that are required to existing arrangements. Note that, at the moment, there is nothing in law to say that the processors have to negotiate with you or in any way collaborate. Therefore, it is best to start early.
   
• Is your organisation processing personal data on behalf of another organisation?
  Does your organisation look after personal data for that other organisation and perhaps send out mailshots on behalf of that organisation? It may be an organisation which benefits your organisation, but it is still a separate entity and your organisation will be processing personal data on its behalf. That means that the requirement for a formal data processing agreement is triggered. The liability for that will sit with the other organisation, but you need to consider whether you should raise this with the board of directors or management of the other organisation. Fundamental consideration must be given to what your organisation will do on behalf of these organisations in the future.
   
• Is your organisation carrying out any processing of personal information which seems unusual or unjustified?
  If so, you should carry out a data protection impact assessment (template available as part of the pack) and if question marks remain, you should seek legal advice. The pack contains a basic audit list of what to look at. It cannot be comprehensive and you need to give proper consideration to what personal data your organisation is handling. It is a sensible starting point and also covers the security aspects of keeping personal data. Security is all the more important because after 25 May 2018, there will be compulsory breach reporting and higher financial penalties.