Skip to main content

Preparation for data audit

Today, data is an invaluable resource for companies. Collecting, processing and using data is central to running and developing a company. At the same time, it is also an enormous responsibility. Companies are obliged to protect personal data and comply with data protection legislation. In the UK, the data protection agency is Information Commissioner’s Office (ICO). A data inspection by a data protection agency can occur at any time and can have serious consequences for your company if you fail to protect sensitive data.

Did you know that data leaks that include personal data lead to customer loss and impact on business sustainability?

What will ICO ask for during a data audit?

ICO will ask a variety of questions during a data inspection. The exact questions will depend on the company’s activities and purposes for processing personal data. Some of the questions they may ask during a data inspection may include:

  • Why do you personal data and for what purpose?
  • What type of personal data do you process?
  • How is personal data stored and protected?
  • When is personal data deleted?
  • What security measures have you implemented to protect personal data from loss, theft or misuse?
  • Have you appointed a data protection officer and what role do they play in relation to handling personal data?
  • Have you documented and assessed the risks of processing personal data, and has a data protection impact analysis (DPIA) been carried out?
  • How do you respond to requests for access to personal data, correction of errors, deletion or restriction of processing?
  • Have you informed the registered persons about their rights and about how their personal data is processed?
  • Have you informed your employees about the internal data protection guidelines and educated them about their responsibilities and obligations?

These questions are not exhaustive and may vary depending on the company’s specific activities and data processing practices. The data protection agency will typically also examine the company’s documentation and policies to ensure that there is consistency between what the company does and what it says it does.

Get our Newsletter!

In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.

When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.

Do this before the data protection agency comes

In order to prepare for a data audit, make sure you have a clear and coherent plan for how your company handles personal data. Here are some steps to help prepare for a data audit:

  1. Get to know the law. The first step in preparing for a data audit is to ensure that you have acquired a good understanding of the legislation that applies to you.
  2. Review and document all processing of personal data in the company: Identify what type of personal data is processed, where the data comes from, how it is processed and who has access to it.
  3. Update IT, policies and procedures. Review and update the company’s IT, policies and procedures for data protection. Identify vulnerabilities and update your practice so that it reflects the applicable legal requirements in the area.
  4. Assess risks and carry out an impact analysis. Identify and assess the risks of processing personal data and carry out a data protection impact analysis to ensure that any risks and consequences of a data breach are under control.
  5. Educate employees. Ensure that all employees in the company are trained in data protection and that they understand their responsibilities and obligations in relation to the processing of personal data.
  6. Ensure documentation and traceability. Document all decisions, procedures and activities related to the processing of personal data in the company and ensure that it is easy to track and document what happened and who was involved.
  7. External cooperation. Consider working with an external consulting firm that can help identify any issues and gaps in the company’s data protection and provide advice and guidance in connection with a data audit.

By following these steps and having a clear plan for data protection in the company, you can better prepare for a data audit – and compliance in general.

Start your privacy cleanup with the big picture

A GDPR Risk report gives you a complete overview of the privacy risk in your Outlook, OneDrive, SharePoint, local drive and/or network drive. The report is based on a scan with the Data Discovery tool DataMapper.

The smart way to prepare for a data audit

Preparing for a data audit is a comprehensive task. Especially for a small or medium-sized company. GDPR tools can help you meet GDPR requirements and prepare for a data audit much faster and more accurately than if you had to do the whole job manually. These tools can also automate some of the processes involved in processing personal data and complying with GDPR requirements. Read more about what a GDPR tool can do for you here. In Safe Online, we develop GDPR tools that cover the most central places where a company processes personal data. Our tools are:

DataMapper – Find your sensitive data
ShareSimple – Send and receive data securely in Outlook
RequestManager – Process data subject requests easily

Sebastian Allerelli
Founder & COO at Safe Online
Governance, Risk & Compliance Specialist
Follow me on LinkedIn to get tips on GDPR →

GUIDE

How to handle sensitive personal data

GUIDE

How to find personal data with datamapping tool

GUIDE

How to prepare for a data audit