What is a GDPR audit?
A GDPR audit is an independent activity designed to objectively evaluate the effectiveness of a company’s data privacy controls, risk management and governance. These were popular in the months prior to the inception of the EU GDPR in May 2018.
What has changed since 2018?
Since then, much has changed and is regularly changing in the world of data privacy. Audits conducted on or around 2018 will not have covered several major issues that have arisen since then and are necessary or recommended for data privacy compliance in 2024. The regulator Information Commissioner’s Office (ICO) has also been issuing an increasing number of fines. Precedents for such fines include Meta (€1.2 billion) and Google (€90 million) from other regulatory authorities. But as we explained in our recent newsletter, smaller companies have also been hit.
What should companies do to remain compliant?
3CS strongly recommends that all companies carry out regular reviews in order to satisfy themselves that they are compliant with the current rules. Regular audits also showcase a company’s commitment to data privacy and security, helping build trust among customers, partners, and stakeholders. Companies will also lower the likelihood of a substantial fine in the event of non-compliance if they demonstrate an audit has occurred.
Which areas should companies consider?
Areas which companies should consider are:
- International transfers of data
If a company is making transfers of personal data to jurisdictions outside of the UK that do not have a UK adequacy decision, they will need to comply with new laws and regulations that were not in force during 2018. These rules apply to all transfers and if there are no UK adequacy regulations for the country where data is being transferred to, transfers can only be made subject to conducting a transfer risk assessment and evaluating appropriate privacy and security safeguards.
- Cookies and consent
Where the setting of a cookie from a website involves the processing of personal data, companies will need to make sure they comply with the requirements of the UK GDPR. Website operators need to request consent to use cookies and such consent must be freely given, specific and informed (unless the cookie is strictly necessary). Cookie compliance is a favourite topic of the ICO which recommends that all website operators carry out audits in connection with cookies to understand the cookies their website uses, and why.
- Ad tech
For companies that rely on online advertising as a source of revenue, the GDPR raises additional issues. The ad tech industry has come under increasing scrutiny from data protection regulators in recent years. The complex ecosystem of advertisers, platforms and intermediaries that are used to deliver interest-based adverts to consumers are a potential minefield for UK GDPR compliance. The ICO and other regulators recommend strict analysis of proof of consent, the use of correct legal bases and ensuring transparency – these are key aspects of the UK GDPR. Understanding your level of compliance by way of an audit, is highly recommended.
- Artificial Intelligence
Data governance has been placed at the heart of emerging approaches to the regulation of AI services around the world. The UK GDPR is the comprehensive privacy law in the United Kingdom – it is relevant to all industries and applies to all personal data, regardless of type or context, including:
- automated processing of data (including personal data) which is highly regulated;
- a robust requirement to inform people how their personal data is going to be used;
- a clear requirement to conduct a data protection impact assessment for new AI connected technologies; and
- automated individual decision-making, including profiling requiring explicit consent from a data subject for the processing of personal data.
For all AI tools, lawfulness, fairness, and transparency are key requirements under the UK GDPR. If your company intends to increasingly use AI, a GDPR audit to understand how you currently satisfy the above criteria is highly recommended.
- Ransomware, cyber-attacks and data security
Ransomware is a type of software known as cryptovirological malware that permanently blocks access to a victim's personal data unless a ransom is paid.
The ICO has issued specific guidance in connection with ransomware which states that:
- the UK GDPR requires you to regularly test, assess and evaluate the effectiveness of your technical and organisational controls using appropriate measures. There is no one test that can be carried out, but all tests should be considered within a company’s wider security framework;
- when data controllers become the subject of a cyber-attack/ransomware, the UK GDPR confers a responsibility to determine if the incident has led to a personal data breach and companies are required to notify the ICO of a personal data breach without undue delay and no later than 72 hours after having become aware of it;
- once aware of a cyber-attack/ransomware a formal risk assessment should be conducted; and
- a backup of your personal data is one of the most important controls in mitigating the risk of ransomware.
A key principle of the UK GDPR is that you process personal data securely by means of ‘appropriate technical and organisational measures’ – this is the ‘security principle’. Applied to cyber-attack/ransomware scenarios, assessing robust technical and organisational measures forms a critical part of a modern GDPR audit.
A breach caused by inadequate IT security will result in a victimised company being held accountable. In 2020, British Airways was fined £20 million for “poor security arrangements” that made it possible for cybercriminals to exfiltrate data belonging to around 500,000 customers. The initial fine proposed was £183 million which was reduced only due to COVID-19 sympathy. The expectation is that future fines will be very large.
- Biometrics
Biometric data means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allows or confirms the unique identification of that natural person, such as facial images or dactyloscopic data (fingerprint data).
Biometric data is increasingly being used in today’s world and under the UK GDPR it is designated as a subset of personal data known as special category data. The UK GDPR require that these types of personal data merit specific protection as their theft or usage could create significant risks to an individual’s fundamental rights and freedoms.
How 3CS can help
All companies therefore need to take greater care when collecting, processing and storing such information in compliance with the UK GDPR. An audit will help to ensure that an organisation’s compliance is fit for purpose.
For further information on GDPR audits or help with any data privacy or commercial legal matter, please get in touch with your usual 3CS contact.