Audit as part of the accountability principle.

Two years ago, thousands of organisations had to step on the gas pedal to adapt to the requirements of the General Data Protection Regulation, which sometimes led them to accept risks that they were not able to handle in an efficient manner. However, a data protection compliance program is a living process that is continuously evolving as organisations do so, and the accountability principle requires data controllers to perform an ongoing self-assessment and take steps to address any risks.

Moreover, the number of investigations by supervisory authorities has significantly increased over the past years. According to the last annual report issued by the Information Commissioner Officer (ICO), in the UK, throughout 2019/20, there were 236 instances of the ICO taking regulatory action in response to breaches of the applicable data protection legislation.

Therefore, in this fast-evolving business environment, the internal and external data protection auditing has acquired a main role within numerous organisations to meet the accountability principle requirements and avoid regulatory enforcement actions.

However, while most data protection audit processes cover the assessment and identification of weaknesses, many of them do not cover the next steps that must be taken, i.e. what to do after the audit deficiency results are obtained. This would make the audit process incomplete, as its main objective should not only be to identify gaps, but to address them. It is therefore important to clarify what a data protection audit process should cover once the results are obtained. An audit attached to an unread email identifying deficiencies may serve as a ticking time bomb in the event of a data breach that could have been prevented by addressing the inadequacies raised by the audit so acting on the audit is as important as conducting the audit.

What happens when the audit report presents gaps?

Once the audit has been completed and the audit report has been finalised, organisations should consider the questions below.

  1. Identify findings and gaps

What are the issues? What needs to be improved? In case the report sets out a number of issues or particular aspects that need to be fixed, it will be necessary to proceed with the next stage to address the problems identified.

The first step would be to review the audit process and methodology and double check that it is comprehensive, covering all relevant data protection aspects, as well as all business areas that handle personal data within the organisation. Once this has been completed, a mitigation plan based on the recommendations coming from the report should be put in place in order to address the deficiencies in an efficient manner. Priorities and areas of high risk should also form part of any plan together with anticipated costs allocated – whether this is for technology, headcount or changes in processes.

  1. Timing

When did the issue start taking place? When is the deadline to fix the issue? It is important to know for how long the organisation has been non-compliant and how long it will take to reach adequate levels according to the applicable data protection requirements. The mitigation plan needs to establish the deadline that the organisation must meet for each specific issue identified and will need sponsors within the organisation.

  1. Reasons behind deficiencies

Why is the organisation non-compliant in terms of data protection? Some of the main areas that need to be checked are:

  • Are inadequate processes or workarounds causing the issues?
  • Are there privacy policies and procedures in place and being followed that help ensure compliance.
  • Whether personal data is obtained and processed accurately and whether there are technical and organisational measures in place to guarantee the confidentially and integrity of the information.
  • What mechanisms are in place in order to assist individuals with the data subject requests?
  • Whether training and awareness has been provided to those individuals within the organisation who are responsible for processing personal data that is both recent and relevant to their role?
  • Is data protection and information security adequately flowed down through your supply chain?
  1. Affected areas

Which business functions are not doing things right? Are the identified shortcomings located in just one area which makes other areas not to be compliant? It is important that the audit helps identifying where the main risks are and whether these may affect other business functions and does not look to allocate blame. Identifying an issue, collaborating and resolving will always be the best option for reducing the overall risk exposure of any organisation. All areas must be aware of how data protection legislation impacts them and what commitments they need to assume in order to reduce potential risks. Consistency across the whole organisation when implementing data protection standards is an essential requirement.

  1. Mitigation actions

How can organisations address the findings? There are several actions to be taken that may help businesses not only to mitigate current deficiencies, but also to identify potential ones. Organisations should focus on risks that may appear when data protection principles and standards are not met.

As mentioned, it will be necessary to design and put in place a plan to implement the different recommendations included in the audit report. All the questions above should be considered, including resources, impacted areas, timing, as well as other aspects that may be relevant depending on the type of organisation. In order to undertake the implementation plan, it is necessary to establish a clear roadmap covering the key areas depending on the level of risk that has been identified and the potential impact that they may have from both a financial and reputational perspective.

In addition, periodic reviews of the plan will need to be conducted to confirm that mitigation actions are adequately implemented, that risks are reduced and that the organisation meets any agreed remediation deadline.

Lesson learnt

The audit process is an essential element of any privacy compliance program. If organisations do not act efficiently, the economic and reputational consequences may impact negatively on their business. In this regard, it is not only important to have a strong audit framework in place, but also learning from the deficiencies identified through an iterative process to solve the main structural problems of the organisation that lead to higher data protection risks.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.