We have previously looked at how companies can manage the reputational consequences of a data breach, by getting ahead of the media narratives, responding to public authorities, pushing back on cybercriminals and managing the rights of affected individuals.
These can be extremely useful approaches when a data breach has been suffered and the consequences are being felt.
But what if the breach could have been avoided in the first place?
It is common to hear that, with the mass-utilisation of new digital technologies, cyberattack attempts and security lapses are inevitable – however, allowing those incidents to reach the level of a full data breach is not.
Carrying out data audits and security compliance checks can allow you to mitigate the risk of a data breach including avoiding regulator action and reputational damage.
What should you think about if you're planning a data audit?
In UK and EU GDPR terms, a data audit involves looking at your organisation through the lens of data protection, working out and documenting what personal data there is within the business and how it is used.
This allows you to gain visibility over:
A data audit will allow also you to pinpoint the highest-risk areas of your business, such as those activities that involve special category data, data relating to children or criminal activity, and apply appropriate controls to the use of that data.
Where you already have a compliance programme in place, the audit process can be used to:
A data audit is one of the first steps in any legal compliance project. Once you understand the data within your business you can align your use of that data with the requirements of the (UK) GDPR.
In particular, an audit will help with two key GDPR obligations that – if done wrong – are likely to attract the attention of a regulator: accountability and security.
The accountability principle requires organisations to take responsibility for their data protection compliance and be able to demonstrate that compliance. In practice this means having a suite of records, policies and processes, backed up by staff support, reporting lines and appropriate training.
This is an inescapable part of an organisation's GDPR compliance and typically the first port of call for a regulator when assessing a business's approach to protecting the data of individuals.
A strong level of accountability almost straight away answers the question: how seriously has this organisation approached its data protection obligations? It can be a mitigating factor that might stave off serious regulatory action (eg the imposition of a fine) in the event of a data breach, and of course help to avoid a breach entirely.
Carrying out and documenting a data audit even at a high level will quite quickly determine the visibility of your organisation's compliance with data protection law, showing how you might look to an external assessor.
Documenting it is critical, allowing you to take stock of what you do with personal data and to form a key part of your record of processing activities.
You can read more about the obligation to demonstrate compliance here.
A data audit can also effectively pinpoint and manage your security risks. In the digital age this is key, with a growing number of cyberthreats seeking to exploit security flaws, and businesses keen to implement new technologies (and the natural knowledge gaps that might arise internally). Security lapses can be difficult to avoid.
Combine this with strict UK and EU legal requirements to implement "appropriate technical and organisational security measures" taking into account such risks, plus the threat of monetary penalties when things go badly wrong, and we see more and more organisations with an increased appetite for carrying out data audits to manage – not just personal data elements – but information security as a whole.
It may seem obvious, but to assess what security measures are appropriate to the risks of your processing, you must have a detailed understanding of the data you are processing and the context of that processing.
Imagine you have you hastily implemented a health survey process for your employees and site visitors to screen for symptoms of COVID-19 when they attend your business premises. As health data this would be protected as special category data under the UK and EU GDPR and require enhanced security protections – a failure to properly protect this data leading to serious consequences for individuals could amount to a considerable regulatory exposure for your business.
Understanding how much data is collected, where that data is held, under what controls and for how long, becomes an extremely important exercise to help manage this risk. By carrying out a data audit, you may be able to avoid breaches future breaches.
You can see a summary of security and breach reporting regimes, as well as some top tips for compliance here.
Under the UK and EU GDPR, a country's appointed data protection supervisory authority has the power to investigate businesses and conduct its own compliance audits. In the UK you can request an audit yourself, but more commonly, the Information Commissioner's Office will investigate and audit businesses whose practices have been brought to its attention as having materially failed.
If you are subject to a supervisory authority investigation, it's vital that you can demonstrate a sound understanding and mapping of the data flows within your business, and that you have reviewed the risks and applied appropriate security measures to that data. This will help the regulator see you as a collaborator in the protection of personal data, rather than as a risk to the rights and freedoms of individuals.
To find out how we can assist with your data audits and compliance processes, please reach out to a member of our Data Protection & Cyber team.
Edward Spencer and Michael Yates look at the potential consequences of a data breach which affects a large number of claimants.
2 of 5 Insights
Jo Joyce looks at the vital role forensics can play in minimising the impact of a data breach.
3 of 5 Insights
Michael Yates looks at information likely to come into the public domain about an ICO investigation into a data breach and how to reduce the risk of reputational damage.
4 of 5 Insights
Helen Farr and Edward Spencer look at the risk of deliberate data breaches by employees and at how to mitigate them.
5 of 5 Insights