GDPR audit identifies the key risks and gaps within an organisation’s processes, procedures and policies with respect to the General Data Protection Regulation (GDPR) and recommends the best course of action to close these gaps and mitigate these risks. By putting in place appropriate processes, procedures and policies that cover monitoring of personal data, controls to prevent data breaches, training staff on GDPR obligations, conducting data protection impact assessments (DPIA) for high-risk projects and business functions, implementing GDPR compliant consent management solutions, implementing effective systems to manage data subject access requests (DSAR) amongst other areas.
- Raising data protection awareness.
- Documenting management’s commitment to recognising the value of data protection.
- Independent assurance of data protection policies, processes and practices.
- Indication of data protection risks with specific suggestions to automate compliance.
- Knowledge sharing for training and improvements.
General Data Protection Regulation (GDPR) is specifically important for data “controllers and processors”. A data controller deals with the processing of personal data, whereas, personal data processing on behalf of a controller is the accountability of a processor. Being a processor requires you to maintain a record of personal data and processing activities under the GDPR. Data subject access requests (DSAR), itself is defined under Article 15 of GDPR, which is the right to obtain from the controller confirmation on whether they are processing personal data of the person making the request and provide access to that data along with disclosing certain information in relation to the processing. In case of any data violation, you will stand guilty for that act. On the contrary, as long as the processor is involved, you are not free as a controller. Obligations will be imposed on you as well to ensure that the contract between you and the processor implements the GDPR regime. GDPR only applies to the processing of data within organisations that are based in the EU. It applies to organisations outside the EU only when such organisations offer services or goods to individuals within the EU. Activities such as processing of data under law enforcement directives, for national security purposes and for personal/household purposes do not come under the GDPR regime.
There are 7 salient principles mentioned under the GDPR that organisations must comply with in relation to processing personal data:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
Lawful bases for processing
The legal bases for processing personal data are mentioned under Article 6 of the GDPR which must be met by organisations:
- Consent: ensure you have permission to process an individual’s personal data for a specific purpose.
- Contract: the processing is required for a deal you shared with that particular individual. The reason is the consent they have given you to take specific steps before signing the contract.
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual commitments).
- Vital interests: this processing is crucial to shield someone’s life.
- Public task: this step should not be missed while performing a task in the public interest. It is also vital for official functions, and the task should have a clear basis in law.
- Legitimate interests: here the processing is imperative for the legitimate interests which the third party has. But there is a condition unless you find a rational reason to protect the individual’s personal data which take the precedence over those legitimate interests as per the GDPR.