The European Union's General Data Protection Regulation (GDPR) took effect back in May, and companies that scrambled to satisfy GDPR's requirement are enjoying the sense of satisfaction that comes from completing a project.
But, as with almost all technology projects, the job is never truly done. There's always the routine maintenance and updates of the tools used to provide GDPR data protection. There's also a need to keep track of new data collected by business units and ensure that it is being protected.
Plus, audits are necessary to ensure that compliance procedures are being followed. GDPR lawsuits were filed against large companies like Facebook and Apple the day the regulations went into effect, and firms remain vulnerable. Documenting GDPR compliance audits can help demonstrate your company is making a good-faith effort to comply and reduce the risk of substantial penalties.
GDPR Audit Process
Audits help demonstrate that the company has processes designed to satisfy GDPR's requirements, including getting user consent for use of data, using data only for agreed purposes, updating or deleting data on user request, and reporting data breaches promptly. An audit can help you identify new data sources that must be brought into GDPR compliance and evaluate the effectiveness of controls on existing data sources.
To perform the audit effectively, follow these steps:
- Collect protected data usage details. Before you can assess the effectiveness of your GDPR controls, you need to understand the data GDPR applies to. Identify the information collected by each department you will audit. Don't let the department tell you which information needs to be protected; that evaluation should be part of the audit. For each department and data source, assess whether the information falls under GDPR's protections. Collect additional information to document how GDPR's requirements are being applied to this data.
- Identify GDPR compliance gaps. With the information gathered and documented, highlight any gaps in compliance. New applications often create new data that needs additional controls. Also be aware of manual processes that create or use data in spreadsheets and other tools that aren't centrally managed.
- Create a GDPR remediation plan. Once the audit review is completed, plan to take steps to correct any issues. Gaps can be prioritized based on how far they are from ideal compliance and how likely misuse of the data is.
- Reevaluate after remediation. After a remediation project is completed, the audit team should re-assess the data and controls to ensure that the compliance requirements are successfully resolved.
GDPR compliance is an ongoing project, not a task that can be checked off and forgotten. dcVAST supports organizations in achieving GDPR compliance through the suite of tools from Veritas that reduce the challenges of identifying protected data and tracking its usage. Contact us to learn more about why you need to continue to be focused on GDPR and how you can stay in compliance with this important regulation.