By Phil Brining.
I’ve been doing GDPR auditing again this week which has been a nice break from working with the PCI DSS because as I’m sure you’ll agree, one of life’s real pleasures is working with the GDPR.
The last few compliance assessments I’ve done have been carried out remotely but this week, I travelled to the south coast to attend a customers’ site in person. An on-premise assessment. I confess to absolutely love doing GDPR auditing and, not to blow my own trumpet on it, I think that I am actually pretty good at it!
Unfortunately, my gut feeling is that there is still an awful lot of work for this particular auditee to do to get themselves to a demonstrable compliant situation and to give a high level of assurance of remaining complaint once they have got there. My job is to reach a balanced, sensible, and justifiable assessment of compliance across the 30 or so topical areas of assessment over the entire business operation and provide them with a pragmatic plan that they understand what they need to do to achieve and maintain compliance. I’ll have to keep the customer on board and ensure I don’t throw anyone under a bus or leave anyone out on a limb. There is a bit of a knack for delivering bad news, showing why an area is not compliant whilst keeping everyone on board.
I can hear the heckles going up already about me going into an audit with pre-conceived ideas, but a simple review of the customer’s website and some of their data protection policies left me with a number of concerns.
If you consider that there are some very prescriptive aspects of the GDPR and some other aspects that provide less definition, it still surprises me that people can’t even get the prescriptive stuff right. In particular, because they are pretty easy to assess. And if little old me can assess the overtly prescriptive aspects, why can’t the good folks who invite me in to do an audit?
For example, it is easy to determine if a privacy notice contains all of the mandatory elements set out in Article 13 (and 14 where relevant). Sure, to go one step further is a little trickier – i.e. assessing if what it says is sufficiently comprehensive and true – but checking if the mandatory things like the list of rights is there or not is dead simple.
It’s also pretty easy to review a data retention schedule and identify if it contains duplicate entries but with different retention periods. These aspects are not rocket science and, to be entirely honest with you, I fully expect them to be in place – in full.
Of course, I’m not only there to assess if something is compliant now. I see it as part of my engagement to assess the likelihood of remaining compliant and provide advice where assurance can be improved. And what I’m looking for here is a systematic way of dealing with that bit of the GDPR. A short policy, a few lines of operational procedure, a drop of record-keeping and some evidence of periodic review for example. If I can see that a systematic method for managing compliance has been properly implemented and has stuck in the organisational culture, then I am left with a higher level of assurance that the customer will remain complaint going forwards. Without that systematic approach to governance, the level of assurance is somewhat eroded.
For example, privacy notices might be compliant today (e.g. contain all of the information that they are required to under Article 13; correlate with the purposes listed in the RoPAs; corroborate with the evidence on the ground of the processing actually being undertaken; cross-check with the list of processors and data sharing contracts; and match the retention information stated in the data retention schedule), but how are they going to remain complaint? If someone is on the hook for performing a bi-annual review, if the staff have been told and trained that alterations to privacy information must be approved by the compliance manager etc., then there is more chance that they will remain compliant.
But hold up there! According to the privacy notice I reviewed for the audit tomorrow, it was reviewed only a matter of months ago. How then does it refer to the 8 data protection principles of the 98 Act? How does not mention the purposes for processing or the legal grounds? Who reviewed it and against what?
What we could do with is a proper standardised framework to perform assessments against. Yes, I know about BS10012 and ISO27701 but I truly think that at Data Protection People, we have developed a methodology and approach to assessment compliance against the GDPR which is absolutely the best in class.
Roll on tomorrow – I can’t wait!
Written by Phil Brining 10.05.22