EasylifeIT™ GDPR Scoping Audit
As ‘Step 2’ of its ’12 steps to take now’ guidance on preparing for the General Data Protection Regulation (GDPR), the Information Commissioner’s Office (ICO) recommends that organisations should:
“document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.”
Implementing the GDPR could have significant resource implications, especially for larger and more complex organisations. However, the size of your company is not the only determining factor. Smaller companies may need to commit a disproportionate amount of effort to achieve compliance, particularly if their main business activities require them to control and/or process large volumes of personal data.
An important starting point therefore is make a short but structured assessment to identify:
- where your key areas of risk might be in terms of the level of compliance with GDPR
- what the size of the task might be
The output of this initial study will then help to determine what the next steps should be, whether you have the right skills / resources at your disposal, and how best to focus those resources.
EasylifeIT™ GDPR Scoping Audit
EasylifeIT can help by facilitating and documenting this initial information audit. The primary aim is to identify areas of the business that are likely to process personal data, and in particular any sensitive personal data.
Areas to be assessed very early on in the process of GDPR compliance are typically:
- Human resources
- IT (to determine the computerised systems in use and to assess the security and contingency measures in place)
- Marketing (particularly in terms of analysing how consent is obtained)
Therefore, in order to maximise the value of the audit, decision makers representing each of the company’s key data processing functions would need to be involved in the process. EasylifeIT’s consultant will spend one day on-site working directly with those nominated decision makers.
GDPR requires organisations to document what personal data they hold, where it came from and who they share it with. Specifically therefore, EasylifeIT’s Scoping Audit will seek to gather information about the following:
- Names of databases / applications personal data is processed in. Although this is likely to focus on computerised systems, it would also cover paper based systems if applicable.
- A description of the purpose for processing that personal data
- Categories of personal data e.g. name, telephone number, address etc
- Access from / to third parties e.g. contractors or organisations that process any of the data on behalf of the organisation
- Hosting location / use of internal or external service providers, particularly if outside of the EU
- Back-up locations, particularly if outside of the EU
- Contact details of person in charge of the relationship which covers databases / applications
- Method of data transfer if outside of EU i.e. appropriate safeguards such as contracts are in place if data is transferred outside of the EU
- Consent – how the organisation is seeking, obtaining and recording consent
- Safeguarding – the methods in use to protect against unauthorised or unlawful processing and against accidental or unlawful loss, destruction, alteration, unauthorised disclosure of or access to personal data
In addition, the ICO has also designed a basic tool to help organisations get prepared for the new legislation. It helps introduce some of the concepts companies will need to get to grips with a little later on. These include: the new rights of individuals, handling subject access requests, consent, data breaches and designating a data protection officer.
As part of EasylifeIT’s Scoping Audit, our consultant will also run through this questionnaire with the company’s designated decision makers. This will provide another useful measure of the company’s current level of GDPR preparedness and the gap (if any) which needs to be closed. Analysis of this will be included in EasylifeIT’s report which will be provided as part of the Scoping Audit.
A 2 day programme of work, comprising:
- 1 day on-site working directly with the company’s nominated decision makers from pre-defined key functions
- 1 day to analyse findings from the on-site data gathering and to produce and deliver a report of findings and recommendations