Big school of GDPR lesson 7: GDPR Internal audit

You've launched a whole range of activities to align with GDPR requirements. You have appointed the DPO, established a structure of authority and responsibility for managing the personal information. You have analyzed the readiness of the organization and the IT system to fulfill the rights of the owner of personal data. You understand that you are not quite sure what is, and what is not personal information. You have realized that you are not sure which information should be given to the owner if they were to claim them based on the rights to portability.

If you do not know it, then you do not know either which data you will have to delete in the event their owner so requests based on its right to be forgotten. Even if you are sure about all that, your IT system is simply not technically able to fulfill it, and the adaptation could be extremely complex. In addition, it has become clear that the security of personal data in IT systems is far from the expected level. You realized that writing a good text of the consent for the collection and processing of personal data is not as simple as it first appears.

What happens when you realize the GDPR project is late?

The implied conclusion is that the alignment will take much longer than you could have initially assumed. On the day you start applying GDPR, you will not be 100% aligned and that's not a problem because no one will expect you to be. When you realize that your implementation of GDPR despite your efforts will never end, you have recognized the sure sign that you approached the GDPR in the right way. Harmonization with GDPR is primarily the process of establishing a responsible and ethical process of personal data management.

Internal audit - why, who and how?

The efficiency of the process needs to be measured and measures and goals need to be defined for it. We are fully convinced that in April 2018, the responsible management boards will want to see on the table an independent evaluation of the success of their GDPR initiatives. If anything, that they know with which they can boast to AZOP (or whatever regulatory body will be called) and what to fix.

The GDPR audit can be implemented in several ways and for several reasons, including:

• Internal GDPR audit
• GDPR audit by third party
• Certification GDPR audit
• GDPR audit of regulatory/inspection body

We will focus on internal audit. This audit is the most comprehensive, the longest lasting and its goal is to provide an objective picture of compliance with GDPR, as well as the adequacy and effectiveness of the implemented controls. It is conducted according to an audit plan that is usually defined for several years in advance. If you have your own resources, you can do it yourself. You can also outsource or partially outsource it. You've already found out that most of the complexity of GDPR requirements lies in technical controls.

In addition to knowledge of audit techniques, understanding of technology and organization is a necessary knowledge of GDPR auditors. The person you need is an IT auditor, preferably a CISA certificate holder with 5 or more years of experience. If you have such resources, send them to additional education in the area of ​​GDPR. If you do not have your own IT auditor, consider the possibility of outsourcing this process. Even if you have your own IT audit team, outsourcing jobs such as making a GDPR audit methodology, and the first audit plan is a smart move.

A risk based compliance audit is the ideal approach to auditing the GDPR. A good IT audit team should already be familiar with this approach. Since GDPR does not formally come up with a list of requirements, we suggest that you go from the poster published in the third lesson. The risk assessment methodology you will use to create an audit plan relies on the DPIA (Data Protection Impact Assessment) methodology that will be an obligatory part of your personal data management process, and the next lesson talks in more detail about it.