GDPR

How to conduct a proper GDPR audit: 4 key steps

Organizations subject to the EU's General Data Protection Regulation should do regular compliance audits. Here are the steps experts say you should take.

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

For many organizations, preparing for the European Union’s (EU) General Data Protection Regulation (GDPR) has been a time-consuming endeavor. Unfortunately, the work is not over. Now that GDPR is in effect, companies will need to do regular internal audits to assess their compliance levels. The ability to document these audits will be vital in the event of a breach or complaint, because showing that a good-faith effort was made could help avoid a big penalty.

“Audits are very important, as accountability is one of the principles under the GDPR, and organizations are expected to monitor their privacy and compliance program as part of being in compliance,” says Greg Sparrow, senior vice president and general manager at risk management consulting firm CompliancePoint.

“Further, audits will ensure that organizations can catch issues or errors in their program and thus demonstrate due diligence to the regulators if violations occur or they come under question,” Sparrow says. “Compliance is not a ‘set it and forget it’ program. Companies are expected to comply with the regulation as well as have regular monitoring in place to ensure they remain compliant.”

It’s important to conduct GDPR audits “to check that processes are in place to deal with the tasks required, including the right to be forgotten and data portability, and so that data protection officers [DPOs] and staff know what to do in the case of a breach,” adds Gary Southwell, general manager of the Cybersecurity Division of security technology company CSPi.

“Fully vetting processes through an audit provides measures that can be used for process improvement,” Southwell says. “But it also provides a key compliance element—proving your company has such processes in place and in operation—before issues occur as the law intends. Specifically, it can also help improve general investigative response readiness, something all companies should be doing to minimize their risk of data loss.”

GDPR audits will likely involve people outside security, including data governance, IT, legal, and human resources. Clearly much of the focus will be on cyber security programs. Here are the key steps of a GDPR audit, according to industry experts.

To continue reading this article register now

SUBSCRIBE! Get the best of CSO delivered to your email inbox.