Data Protection Audits – More than a state of the nation report

A data protection audit determines whether the policies and procedures implemented to regulate data privacy and the use of data are working as planned. An audit will typically assess the organisation’s procedures, systems, records, and activities. 

Using data protection audits to just tick a box on a compliance sheet misses the opportunity to add value to the exercise with a thorough review of all aspects of business security that may have an impact on data protection and privacy. 

A review of the ‘Security’ section of the ICO website suggests why audits should follow this more wide-ranging remit. It says: “A key principle of UK GDPR is that you process personal data securely by means of ‘appropriate technical and organisational measures’ – this is the ‘security principle’.” 

As cyber security, and data protection usually sit with different people in an organisation using a Data Protection Audit to tie these threads together gives the leadership team oversight across both aspects of the business and will enable any gaps to be plugged. 

Digital files are generally easier to store securely than paperwork, but the security of data held in paper form is another consideration. Once again, a Data Protection Audit helps to highlight the business risks of the data security aspects of failing to provide secure storage for critical documents, drawings, medical images, and photos. 

The ICO security page offers some advice that could be seen as a little ambiguous. “Your measures must ensure the ‘confidentiality, integrity, and availability’ of your systems and services and the personal data you process within them.” Utilising an audit to unpick the contrasting requirements of “confidentiality” and “availability” can save time and reduce the risk of data breaches or losses. 

The ICO go on to say: “The measures must also enable you to restore access and availability to personal data in a timely manner in the event of a physical or technical incident.” 

This moves data protection into the area that will be covered by your disaster recovery plan. This again may well sit with a person not well versed in the requirements of data protection and an audit that covers all parts of the brief will be able to propose improvements and streamline processes. 

We have shown that a Data Protection Audit can be a key driver to business improvement and risk mitigation. CSRB’s audit service offers a true picture of your current information governance framework. 

However, we understand that our client base ranges from micro businesses to SMEs to large multinational organisations. Thus, we have introduced an ‘existing policy & procedure review service’ with an easy-to-understand traffic light coded GAP analysis, seen as a mini-audit if you like.

CSRB will help you manage and protect data responsibly while taking the jargon out of the process. Contact us here or call 0117 325 0830 to learn more about how we can bring clarity to your data management processes.