I know, it's a rubbish Star Wars pun, but I couldn't resist. In this post, I talk about the mechanics of our external audit and how it went.
If you've been following my posts, you'll be up to speed on our journey towards compliance with the GDPR, come May 25th 2018. If you haven't, then feel free to brush yourself up. :)
- Achieving GDPR compliance: Episode I
- Achieving GDPR compliance: Episode II
- Achieving GDPR compliance: Episode III
As it's a bit of a saga, I've nicked the Star Wars naming structure. Sorry about that.
Anyway, to summarise, we've been doing a tonne of things to ensure we're operating within the law, once the legislation becomes enforceable next May. As a result of all that effort, we decided it was perfectly reasonable to bring in an external assessor to validate or debunk that work. And that's precisely what we did.
I've talked about all the previous audits we've been through, internal, external, ISO this, ISO that and so on, on our various trips to gaining accreditations, so we're pretty well drilled on how these things pan out. With the GDPR, we're talking about complying with legislation, which has a natural gravitas of its own.
The lead in
So, all the work we've done so far has been based on our own interpretation of the GDPR, mixed with some guidance we've sought from both the UK Information Commissioner's Office (ICO), other sources and also some basic common sense. We also mapped out our ISO27001 compliance position against the GDPR requirements. All of this seemed sensible. On that basis we created our various work streams and set people off doing good stuff.
Around late Summer (UK), we decided that the obvious next step was to get someone in to, as I mention above, take a look at our progress. We commissioned the NCC Group for this specific purpose.
We'd already figured out what our main focus areas / questions were:
- Are we processing data for longer than we should?
- Are we comfortable with our levels of access control to personal data?
- Do we have robust processes in place to cover data subject rights?
- Are we handling consent in a way that ensures compliance?
Probably the key issues or considerations for most organisations, to be fair.
OK, so we motored on with our improvement plans against those four main themes. And we still are.
As far as the gentleman that came in to see us was concerned, this was a 'health check' rather than an audit. As a well audited firm, we treated it as the latter and set it up as such. That said, it was nothing at all like this:
We provided a proposed approach; speak to individuals responsible for processing personal data as part of their job, speak to those building systems that do the processing automatically, speak to the guys who handle things like subject access requests and of course speak to those who lead the organisation.
We had a pre-'health check' conversation with the assessor, where we put forward our proposal, coupled with sharing some preliminary information and making it absolutely clear that as far as we were concerned, it was a completely open exercise, designed to ensure we're doing the right things, rather than ticking all the boxes.
Everyone agreed. We're not going to improve, let alone comply, if we don't know precisely what the areas are that need attention.
- Leadership and governance of our compliance project
- Marketing and generally contacting individuals
We tackled some of the thornier subjects early on and why not? The feedback was positive; we do have good leadership and governance around the project (we have buy in and commitment at the highest level of the organisation); we're giving serious consideration to how we market to and contact individuals (indeed, it's kept a lot of us up all night, making sure we operate within the legislation!); and of course how we use technology to underpin our compliance, be it through automation of tasks such as the deletion of data once we no longer have a business processing it, or by making the fulfilment of data subject rights a painless process.
Retention it seems is a widespread issue, across organisations in general. We have a good plan to address this, which is great.
It went well. Lots of questions, lots of open and honest answers. A great start.
- Information security management
- Suppliers and third-party organisations
- Human resources
- Learning and development
Our ISMS came under scrutiny on day two, but it wasn't for the first time. It gets a good going over in each and every one of our compliance audits against ISO27001, CAS(T), Cyber Essentials and so on. It's pretty robust and the auditor agreed. We do need to do more around business continuity, but it's hard to simply turn everything off and then test that you can still do business. We're working on this.
Making sure risk assessment reaches every aspect of the business is also a challenge and again, this is something we acknowledge and are working on.
Data Protection Impact Assessments (DPIAs) are a relatively new thing and our thinking around them was simply that they applied to system design and other architecture disciplines. No, they apply to all aspects of how your organisation operates, where personal data is concerned. Go and read up on this, as it's important to know the detail.
With suppliers it was interesting; how do we ensure we have adequate wording in contracts that ensure they are keeping up their end of GDPR compliance, when we would assume that they are also going through their own process of compliance? This is something we've got our legal counsel working on and we feel pretty comfortable we've got it covered.
With third parties it's a little more complex - we have controller to controller relationships in place, as well as more classic controller to processor ones, but this is something we're getting our heads around and again, our legal counsel is working on how we build the right things into our contracts.
With HR and L&D, it's about making sure we've got our policies brushed up, communicated out, read and understood, as well as evidence of such. HR is something firms need to ensure they consider, as staff data is as much in scope of the GDPR as anything else. Don't just assume it applies to customers!
One thing we do need to do better (and we know it) is to make our company-wide training on information security in general a more frequent thing. We're on it. :)
The final day, which included the auditor's summing up.
- Data subject rights
- Operational processing of personal data
- Physical security
- Closing session (and summing up)
Happily, we have a pretty robust subject access request process and it's followed perfectly. It does require a few tweaks to reflect the nuances of the GDPR, but nothing more than that. We do need to produce similar processes for the other subject rights being brought in however, such as the right to erasure, accuracy and data portability and both our regulatory and technology teams are on with this now.
In terms of our operational teams (customer services, technical support and so on), we're really talking about continuing to follow well established processes, including escalation where necessary. We do need to ensure we have widespread awareness of the subject, but as I mentioned above, our L&D team are on the case.
In terms of physical security, this was all about our HQ as a thing of bricks and mortar (and wood, metal and glass). We found a broken door lock and a room that needed better locking down, which wasn't bad for a site with over 1200 people in it and many visitors, day in, day out. Within practically minutes of these findings, our building security manager had work in flight to sort those things out.
Our visitor management, access management and such like are in good shape, so it's a case of doing more of the same.
Closing session and conclusion
So, the audit went really well and we got out of it exactly what we hoped; some good feedback and some good advice.
- Look at our business continuity planning and testing
- Review our risk assessment process to ensure it's covering all relevant aspects of the business
- Fix that door! (and restrict access to the other one)
- Tighten up our assessment documentation around suppliers
- Get data retention nailed
- Understand and properly implement DPIAs
- Keep an up to date record of our data processing activities (people, processes, systems)
- Get on with regular awareness and training around personal data and privacy
The great news is that we're looking at all those things (well, doing them rather than simply looking at them) and feel far more confident that we're doing the right things and are well on our journey towards compliance, come May 25th, 2018.
Vitally, we've got a really great crew at our helm (I'm the old one):
The GDPR. It's all common sense.
Thanks for reading.