Auditing Data Protection: Key Considerations

A previous post this week about the exorbitant costs quoted for a data protection audit by a law firm got me in to a spot of bother with said law firm, and so decided to delete it in order to keep the peace. My post wasn't intended to shame any particular firm and as it turns out speaking to colleagues in the sector the price quoted was actually roughly in line with what other firms quote.

My own personal view is that any Data Protection audit must offer value for money and provide tangible benefits that will progress the data protection program and make sure the organisation subject to the audit can can work to implement the recommendations to improve assurance. The cost of an audit will depend on a number of factors and the work involved but the greater the cost, the more I'd want to be absolutely sure that the investment is worth it and is going to represent a significant return over the medium to long term. That being said, I'm wholly unconvinced that any data protection audit brings value sufficient to charge tens of thousands of pounds.

If your organisation is considering undertaking an external data protection audit here are some things you could consider to ensure you get the most out of it.

1) Be clear about what you want to achieve and the scope of the work required

Data protection is a broad area of information law and auditing compliance with the legislation can be complicated. There are many different types of work that could be considered an audit, from process and documentation reviews to gap analyses and "health checks" its important to understand that every approach has benefits and drawbacks. If you're in the market for an audit, you need to have a clear idea of what you want to get out of it and make sure that the provider you're looking at can deliver that.

Whether you need an assurance rating of how your processing stacks up against the principles or a review of your processes and whether they're robust enough to ensure compliance with the relevant Articles you need to lead the conversation with what you want to get out of the exercise.

What I'd avoid is allowing the auditors to have too much influence in determining the scope of the engagement. While they may have insight into some of the more common areas of non-compliance within organisations, they should tailor the engagement to the client requirements as much as possible and focus their field work and questions around how your business operates and the level of risk associated with that processing. Before you sign off on anything, make sure you have a clear idea about:

• Areas of focus
• People being interviewed
• How findings will be presented
• Number of days of field work required
• What the auditors will be assessing against e.g. legislative requirements, codes of practice, case law, best practice guidance etc.

2) Before you spend money do some ground work

Audits can be expensive in terms of finance, resource cost and effort to remediate findings (that you may or may not have already considered). To get the most out of the audit and to minimise the opportunity for unnecessary padding that states the obvious you should take advantage of the myriad of free resources out there to establish a baseline of where you think you are and to identify any obvious gaps before the audit starts. Be sure to factor in this work to your audit scope. As an example, if you know your ROPA isn't complete and you've got an action plan in place to address it, is there any value to be had in having an audit flag this as a recommendation? If you're using the audit as a platform to secure more resource to complete your ROPA then yes there obviously is, but otherwise, your paying for someone to tell you what you already know so it could be a waste of money.

I think the ICO Accountability Framework is a good tool for establishing a baseline of where you are against the ICO expectations but do be aware that they have taken a number of liberties with what they expect and quite a few of the things they say they expect have no basis in law and they wouldn't be able to enforce against some elements of it if you told them to bugger off. That being said the tracker is good for having a visual representation of how far along you are against what they want and it can be used as the basis of a solid action plan.

3) Ensure the audit team understands Data Protection in your sector

A good data protection auditor will take time to understand your business and ask questions tailored to what they find out and that are relevant to your sector. In contrast an inexperienced auditor could stick religiously to a set of pre-defined questions or published ICO checklists, which could lead to missed opportunities to explore deep rooted issues that could indicate ongoing areas of non-compliance. When you engage a firm make a point of exploring the background and pedigree of the auditing team. Ideally you want a team that has experience of carrying out data protection audits in your sector and who can demonstrate a track record of delivering client work that meets expectations. Be cautious of any auditing provider that says they will help you achieve 100% compliance (they won't). I'd also avoid any auditing provider that can't (or won't) explain how they determine what their findings. To me this suggests that a lot of their recommendations are taken from the ICO website or copy and pasted form other areas.

Also, be aware that some audit firms use lawyers and some will put junior members on the team with experienced supervision in order to allow them to gain experience. Neither of these things is bad, but could have a significant impact on your experience, the quality of the output and the cost of the work. Don't be afraid to ask for a balanced audit team that is going to deliver what you need. As a final point relating to lawyers -, like doctors, lawyers have different specialties. Lawyers with a background in Information Law will have a deep understanding of data protection and the associated issues. Lawyers with different specialties may have experience in data protection but this isn't guaranteed. If a firm wants to put a non DP specialist on to your auditing team, they should be able to explain what they bring and how they will help you fulfil your requirements. Data Protection is a complex area with multiple nuances and shades of grey, so make sure the team you appoint to audit you is up to the task and has the pedigree and experience to go beyond explaining what's required by quoting the ICO's Guide to GDPR.

As a practical example of why experience matters, I provide data protection services to the university sector, which as you'd expect undertakes a lot of scientific research. Personal data processed for the purpose of scientific research is exempt from a number of important GDPR considerations by virtue of Article 89 of the GDPR subject to the implementation of appropriate safeguards. If you're going to audit GDPR compliance in relation to scientific research (and I can make very strong arguments as to why all university GDPR audits should do this), then you really do need to ensure that the team understands what exemptions apply and when particularly when processing relates to the Special Purposes.

4) Agree on costs, timescales and follow up work in advance

As part of any proposal put to you, make sure that any fee structure timescales and deliverables for the audit is clear in advance of signing off on the work. The number of field days for the audit should be formally capped and the scope should be tailored to make sure that the field days are utilised efficiently.

If the costs associated with the audit are linked to the experience level of the team e.g. a more junior team member incurs a fee of ￡500 a day while a more senior member incurs a fee of ￡1000 you might want to check that the more experienced team member is being utilised where their skills will bring more value.

In terms of timescales, this will very much depend on the scope and while some leeway should be anticipated if your audit report needs to go to a committee as part of the academic cycle, then you should set a deadline for the firm to work to. If for whatever reason that deadline is missed, the firm should set out what caused the delay and the steps they are taking to rectify the issue. One audit I was involved with earlier in the year had all of the evidence and field work wrapped up on schedule, but then the report itself spent nearly two months mired in the firms Quality Assurance process so by the time it eventually landed, the findings have less impact because work had carried on to address known gaps.

5) Ensure that you can use the report to drive change

When carried out properly, audits can be fundamental tool in driving changes that strengthen practices, embed controls and reduce risk. As part of the audit process, ensure you have a clear plan around who the audit will be presented to, how the findings will be communicated and addressed and how the implementation any recommendations will be assigned and monitored.

Having an action plan in place to ensure the audit is utilised is key to ensuring return on investment. From a regulatory compliance perspective a high quality audit is an invaluable mechanism to demonstrate that your organisation is looking to progress the data protection program. Even if you're not where you need to be, evidencing that you have a plan in place to get further along and you're working through a roadmap will always be better received by the ICO then doing nothing if you're ever in a situation to be investigated and on their radar.

Data protection audits can be expensive and stressful undertakings, but when planned and executed properly they are one of the most powerful tools available to progress a data protection program and give it a much needed sense of direction.

If you would like to discuss how to make a data protection audit work for your organisation or look at carrying out a cost effective audit that is full of practical advice beyond what the ICO website says, I offer a full range of auditing services through Clark & Company Information Governance Services Ltd. You can drop me an email to have a chat on [email protected] or call me on 07720641550