EasylifeIT™ Data Protection Audit

Written by James Allison. Posted in Expert Articles

preview

THE STORM HAS PASSED – RIGHT?

“GDPR – thank goodness that is over! I got fed up with e-mails asking for my consent and inviting me to read privacy notices.”
Relief seems to have been a common reaction to the arrival of the UK’s third generation of data protection laws. After months of media attention and a good deal of confusion, everything seemingly went quiet.

You could be forgiven for thinking the storm had passed. Time to start the clean-up operation and cleanse the inbox of all those GDPR related messages from May you never opened. It all blew over and nothing really happened. It was just like the Millennium Bug. Not quite…

THE BEGINNING, NOT THE END

The new Data Protection Act (DPA) 2018 sits alongside the GDPR (General Data Protection Regulation) and aims to ensure data protection laws are effective for years to come – both pre- and post-Brexit. From 25th May 2018, The Information Commissioner’s Office (ICO) has had the powers to enforce the legislation.

But, thinking of that date as a deadline risks drawing the wrong conclusion. A deadline signifies a time by which something must be finished or submitted, whereas 25th May 2018 represents a beginning as much as an end. Whilst there had been two years for organisations to prepare for the changes, the task of identifying and addressing privacy and security risks did not finish there. Elizabeth Denham, The Information Commissioner, summed this up in a blog on 23rd May 2018 by saying: “we all know that effective data protection requires clear evidence of commitment and ongoing effort.”

https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/05/beyond-2018-data-protection-laws-built-to-last/ 

EVIDENCE OF EFFORT AND COMMITMENT

In the build up to the GDPR ‘deadline’, there was high profile focus on the significant increase in the maximum level of fines available to supervisory authorities such as the ICO. However, whilst these sanctions are available, supervisory authorities are not required to impose fines.Indeed, Elizabeth Denham’s blog of 23rd May 2018 stated that: “this law is not about fines. It’s about putting the consumer and the citizen first.” 

In making their assessment of appropriate action, the ICO must take into account a number of considerations. These include:

This helps to explain why the ICO will look for clear evidence of ongoing effort and commitment. Things can go always go wrong, even in an organisation which is well prepared. However, demonstrable evidence that reasonable steps have been taken to reduce data privacy and security risk will be taken in consideration if the worst happens.

Therefore, building and maintaining evidence of good data protection practice is something all organisations are expected to be doing. This should have started before 25th May 2018. If definitely should not have stopped after that date.

EASYLIFEIT™ DATA PROTECTION AUDIT

EasylifeIT can help your organisation provide evidence of its effort and commitment by facilitating and documenting a personal data information audit.

The primary aim is to identify areas of the business that are likely to process personal data, and in particular any special categories of personal data (previously known as ‘sensitive’ personal data).

Areas to be assessed are typically:

To maximise the value of the audit, decision makers representing each of the company’s key data processing functions need to be involved in the process. EasylifeIT’s consultant will spend one day on-site working directly with those nominated decision makers.

DPA 2018 / GDPR requires organisations to document what personal data they hold, where it came from and with whom they share it. Specifically, EasylifeIT’s Data Protection Health Check will seek to identify the extent to which an organisation understands and has documented the following:

In addition, the ICO has also designed a basic tool set to help organisations assess their compliance with data protection law. It helps with understanding the key concepts companies must continue to embrace. These include: the new rights of individuals, handling subject access requests, consent, data breaches and designating a data protection officer.

https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/ 

As part of EasylifeIT’s Data Protection Health Check, our consultant will run through relevant questionnaires from this tool set with the company’s designated decision makers. This will provide another useful measure of the organisation’s current level of preparedness and the gap (if any) which needs to be closed. Analysis of this will be included in EasylifeIT’s report which will be provided as part of the Data Protection Health Check.

DELIVERABLES

A 2 day programme of work, comprising:

BENEFITS

JAMES ALLISON

James AllisonSTRATEGIC IT CONSULTANT. EASYLIFEIT NORWICH
JAMES IS AN EXPERIENCED AND VERSATILE BUSINESS PROFESSIONAL WHO HAS WORKED ACROSS MULTIPLE SECTORS. HE PROVIDES COMPLEMENTARY SKILLS TO EXECUTIVE TEAMS, ADVISING ACROSS A RANGE OF DISCIPLINES INCLUDING IT STRATEGY, BUSINESS CONTINUITY PLANNING AND IT PROJECT MANAGEMENT

Print