Data Protection Audits
What is an audit?
An audit provides an assessment of whether your organisation is following good data protection practice. You will be aware of the Data Protection Act (2018) and UK GDPR (2021), however do you know your data protection compliance responsibilities under these pieces of legislation?
CSRB believe that audits play a key role in assisting organisations in understanding and meeting their data protection obligations. The audit looks at whether you have effective controls in place alongside fit for purpose policies and procedures to support your data protection obligations.
CSRB will check if you are following data protection legislation as it applies to your organisation and the resulting report makes recommendations on how to improve.
CSRB offer data protection audits which cover a wide scope of works, from a ‘state of the nation’ review of the current information governance framework, to a review of current cyber security and online security measures and safeguards, through to an evaluation of the site security of commercial premises. This ensures we meet the requirements of all organisations in the UK.
What are the benefits of an audit?
You benefit from the data protection knowledge and experience of our audit team. It is an opportunity for your staff to discuss relevant data protection issues with certified professionals in the data protection, online security, and on-site security sectors.
The audit is an opportunity to get an independent view of your organisation’s data protection practices. It is most suited to organisations with an understanding of the basics of complying with the data protection legislation, where there are already some policies and procedures in place, but which may benefit from more focused assistance in meeting their obligations.
Audits also benefit those organisations working towards an enhanced information governance framework and those seeking B Corp certification, the ISO/IEC 27001 quality standard regards the management of information security and those working towards the Cyber Essentials certification. Cyber Essentials indicates that your organisation takes a proactive stance against malicious cyber-attacks, whilst providing a clear picture of your organisation’s cyber security level.
All CSRB audits are conducted remotely, using modern technology, which provides an enhanced client experience and ensures we continue to meet and deliver on our environmental responsibilities. You could say “We zoom to audits, rather than zoom along motorways!”
What areas does an audit normally cover?
An audit can include all or some of the principles within data protection and privacy legislation as well as the Freedom of Information Act (2000) and the Privacy and Electronic Communications Regulations (2003).
Examples of areas which may be covered in a CSRB audit include:
- data protection governance, and the structures, policies, and procedures to ensure compliance with data protection legislation.
- the processes for managing both electronic and manual records containing personal data.
- the processes for responding to any request for personal data, including requests by individuals for copies of their data as well as those made by third parties, and sharing agreements.
- the technical and organisational measures in place to ensure that there is adequate security over personal data held in manual or electronic form.
- the provision and monitoring of staff data protection training and the awareness of data protection requirements.
How does CSRB conduct an audit?
Following the agreement regards the scope of work, which is formally documented in a proposal document, CSRB will:
- carry out remote checks of all policies and procedures.
- carry out remote tests and interviews with key personnel.
- review data relating to KPI’s and management of data protection activities.
- carry out a review of the procedures in practice, focusing on any gaps in data protection and online security within the organisation.
- provide a report which outlines good practice and any areas of improvement with practical recommendations to help you to address these where appropriate.
- write an executive summary at the beginning of the report for key stakeholders.
- carry out a follow up review approximately six months after the audit.
How long does an audit take and how much does an audit cost?
Each audit is unique, and the audit timescales are dependent on the size, scope, and requirements of each organisation. However, in general we do preparatory work some weeks ahead of the audit and then our aim is to complete the audit via presentation of the final report within 30 working days from the conclusion of the agreed audit scope of works.
Again, as each audit is unique, with the scope of works varying greatly from audit to audit, we will agree a market competitive audit cost with you at the proposal stage. We provide an all-inclusive cost, with no hidden extras.
Assurance Ratings
Each audited area will be given one of the below assurance ratings:
| High assurance | There is a high level of assurance that processes and procedures are in place and are delivering data protection compliance. The audit has identified only limited scope for improvement in existing arrangements and as such it is not anticipated that significant further action is required to reduce the risk of non-compliance with data protection legislation. | |
| Reasonable assurance | There is a reasonable level of assurance that processes and procedures are in place and are delivering data protection compliance. The audit has identified some scope for improvement in existing arrangements to reduce the risk of non-compliance with data protection legislation. | |
| Limited assurance | There is a limited level of assurance that processes and procedures are in place and are delivering data protection compliance. The audit has identified considerable scope for improvement in existing arrangements to reduce the risk of non-compliance with data protection legislation. | |
| Very limited assurance | There is a very limited level of assurance that processes and procedures are in place and are delivering data protection compliance. The audit has identified a substantial risk that the objective of data protection compliance will not be achieved. Immediate action is required to improve the control environment. |