Compliant or Non-Compliant? The Importance of Regular GDPR Audits

Mark Thornton

Mark Thornton

Compliant or Non-Compliant? The Importance of Regular GDPR Audits

Maintaining GDPR compliance is not a straightforward task for many organisations and requires input and effort from every member of the organisation, regardless of their role. Non-compliance is not an option and one minor oversight can result to heavy fines (penalties of up to the higher of 20 million euro and 4% of global turnover), revenue loss, lawsuits and reputational damage for the whole organisation. Assessing your level of GDPR compliance, therefore, is a critical step in ensuring that all personal data within the organisation is protected adequately and used in a manner as per GDPR guidelines. These assessments often come in the form of GDPR audits which are an essential tool to help identify and resolve any compliance gaps and ensure your entire organisation is on the same page when it comes to GDPR compliance.  

An organisations biggest asset can also be their biggest risk: Employees. Organisations must ensure that their policies and procedures relating to data protection are being followed closely by all stakeholders inside the business. Hackers are so technologically sophisticated nowadays that they can access highly restricted information stemming from something as minuscule as an employee using the same password for both personal and work logons. As a result, organisations need to have a heightened sense of awareness and visibility when it comes to protecting their personal data, and ensuring that they are meeting the requirements of GDPR on an ongoing basis.  

Being GDPR compliant is not a once-off exercise – it involves continuous monitoring and analysis of organisational behaviour and ensuring that each department is playing their part in helping the organisation comply with the mandate. Audits are a key component of such monitoring and analysis, and allow senior management to get a much deeper understanding of how compliant their organisation is in relation to the 99 articles of the GDPR (where applicable). It is a mandatory requirement for organisations to review the effectiveness of their GDPR practices, hence the need for GDPR audits. 

Asking an external auditor to come into your organisation and effectively look for gaps in your company policies and procedures can often seem daunting to senior management. Some managers will take a very protective stance when it comes to any gaps identified by the auditor and might not be very forthcoming with information, or provide false information. It is important for organisations to remember that having regular audits is very much about showcasing a proactive attitude towards data protection, rather than reacting after a breach has occurred. The auditor’s job is to help the organisation and identify what policies are working well, what policies are missing, and what policies are simply not being followed. By doing so, corrective action can be taken before any sensitive information is accessed by unauthorised personnel.  

In most cases, the auditor will spot things that internal employees would not have seen. Fresh eyes coming in from the outside remove all bias and provide a truthful and knowledgeable assessment of what is going on and provides an individual who is not afraid to step on peoples toes to ensure compliance with the GDPR. As mentioned above, GDPR audits are a super powerful tool in helping to find non-conformities and help the organisation put into practice corrective actions to resolve these issues.  

Here are some tips as to what a GDPR auditor will typically look for when they come to assess an organisation: 

  • What personal data does the organisation process? 
  • What processing activities are carried out on this personal data? 
  • What technical and organizational measures are taken to safeguard this personal data? 
  • Where is this personal data stored? 
  • Who can access this personal data? 
  • Are there data protection policies in place?  
  • Are these policies being followed closely by all stakeholders within the organisation? 
  • How does your organisation comply with the six guiding principles of the GDPR? 
  • How does your organisation support the rights of the data subject? 
  • When is the last time data protection training was carried out? 
  • Does your organisation develop software that processes personal data? If so, how do you identify and manage the risks involved with such processing? 
  • How do you assess third parties with whom you enter engagements with? 
  • Do you transfer any data internationally? 

By asking these questions and more, the auditor is collecting all the information required and reviewing this versus each of the requirements in the 99 articles of the mandate. This comparison of GDPR requirements versus actual behaviour allows the auditor to spot gaps, and recommend the necessary changes that must be made for the organisation to be fully GDPR compliant.  

Ensuring your employees remain GDPR compliant: 

In many cases, employees will only ever read company policies and procedures during their onboarding and completely forget about them after they get settled in. This can have an extremely detrimental impact on an organisations ability to remain compliant as the auditors will have find, in more cases than not, a gap between employee behaviour and company policy. 

To help address this gap, it is important that employees have a good understanding of the policy and not just read over it. They must be aware of their role and responsibility in helping the organisation adhere to their data protection obligations. In our experience, a simple tool for companies to assess the knowledge of their employees with regard to company policies and procedures is to test them. Carrying out a test will help an organisation get a much better idea of where their employees data protection knowledge is at, and identify opportunities for further training. This training is a crucial part of helping employees understand the GDPR and where their role resides in helping achieve compliance.  

Some notable GDPR fines: 

British Airways – €204,600,0002019

In July 2019, the ICO announced its intention to issue a €204,6 million (183.39 million pounds) fine to the British Airways for violation of Article 31 of the GDPR. The incident occurred in September 2018, when the British Airways website diverted users’ traffic to a hacker website. This resulted in hackers stealing the personal data of more than 500.000 customers. The company had inadequate security mechanisms to prevent such cyber-attacks from happening.  

Marriott International – €110,390,200 – 2019

Space

Again in July of 2019, ICO issued the statement of their intent to fine Marriott International for infringements of the GDPR. ICO explained the fine was related to the cyber attack, in which personal data of over 339 million guest records, were exposed. Out of those 339 million individuals, 31 million were residents of the EEA. Marriott international exposed itself to the cyber-attack after the acquisition of the Starwood hotels group. The ICO concluded that Marriott failed to undertake sufficient due diligence after the acquisition and should have implemented appropriate security measures. 

Google – €50,000,000 – 2019

On 21 January 2019, the French National Commission on Informatics and Liberty or CNIL, fined Google with a €50 million fine.  

This is the biggest GDPR fine to this date was issued for violation of: 
• Information to be provided where personal data are collected from the data subject – Article 13, 
• Information to be provided where personal data have not been obtained from the data subject – Article 14, 
• Lawfulness of processing – Article 6, 
• and Principles relating to the processing of personal data – Article 5 

The fine was therefore issued on the account of lack of transparency on how the data were harvested from data subjects and used for ad targeting. Google failed to provide enough information to users about consent policies and did not give them enough control over how their personal data is processed. 

H&M – €35,258,707 – 2020

Just last month, the Hamburg Commissioner for Data Protection and Freedom of Information (BfDI) issued a €35.3 million fine to Swedish retail conglomerate Hennes & Mauritz – H&M, for the violation of the GDPR. The issue became public after a technical error, the data on the company’s’ network drive was accessible to everyone in the company for a few hours and the press picked up the news making the Commissioner aware of the violation. The case is pretty interesting since the company collected sensitive personal data of their employees through whispering campaigns, gossip, and other sources to create profiles of employees and used that data in the employment process. The personal data included medical records including diagnoses and symptoms of the illness as well as private details about vacation and family affairs. 

Smarttech247’s data protection experts offer knowledgeable, practical and interactive training that cover everything from the basic principles of the regulation, down to the technical and organizational measure your organisation should have implemented. We are experienced in helping organisations assess their GDPR compliance and offer a variety of supporting services to help them maintain compliance such as: 

  • GDPR Audits 
  • GDPR Gap Analysis 
  • Data Discovery and Classification 
  • Privacy Impact Assessments 
  • Policy Draft and Implementation 
  • Training and Awareness 

If your organisation wants to get a better idea of their level of compliance, or want further information on any of the above-mentioned services, please don’t hesitate in booking your FREE 1- hour data protection consultancy today: 

Mark Thornton

Mark Thornton