How to Conduct a Data Privacy Compliance Audit

If you’re a responsible driver, you get an oil change at least once a year. If you care about your teeth, you go to the dentist every six months. And if you want your organization to stay in compliance, you conduct an internal privacy compliance audit on a regular basis.

A privacy compliance audit is an assessment that ensures your business complies with regulations like the GDPR, CCPA/CPRA, LGDB, and more. Essentially, it’s a way to evaluate how your company keeps track of data. Government agencies can carry out these audits, but in this article, we’re giving you the information you need to conduct such an audit on your own.

We’ll discuss what a privacy compliance audit is, why it’s important, and what an auditor might look for.

What Is a Data Privacy Compliance Audit?

In essence, a data privacy compliance audit is a way to assess your business’s current risk of noncompliance.

A privacy audit:

• Assesses a business’s privacy protection policies and procedures
• Checks for the use of first-party and third-party cookies
• Investigates third-party requests to collect and share data

The resulting information reveals whether your organization complies with privacy laws like the GDPR and CCPA/CPRA. If not, the compliance audit will identify where the risk resides. Then, you’ll evaluate the technical, physical, and administrative privacy controls in place to mitigate those risks. Once complete, you can take action to make sure your privacy policies and consent management meet the latest regulatory requirements.

How to Conduct an Internal Privacy Compliance Audit

Getting started with your own privacy compliance audit can feel overwhelming. With this audit checklist, you can discover areas for improvement, minimize liability in case of a breach, and gain user trust by protecting their personal information.

1. Establish context

Before beginning a compliance audit, it is essential to establish context by determining which laws apply to you. Data privacy laws vary on a state-to-state basis — and each of those laws has its own criteria for which businesses it applies to. For example, even if you run a Utah-based organization, there’s a chance you still have to comply with California’s CCPA/CPRA. If you run a California-based organization, for that matter, you may have to comply with Utah’s UCPA.

Finding out which regulations apply to your business is an important first step. And even if you aren’t subject to a given data privacy law, you might still want to implement its requirements. Doing so will ensure you’re respecting your customers’ data rights and sets you up to gain customers in that jurisdiction in the future.

2. Determine what disclosures you need to make

While every privacy law aims to protect consumer data, they all go about it differently — that’s why it’s important to establish context by assessing your existing policy for compliance or developing one from scratch if nonexistent. And because each law has its own disclosure requirements, understanding the nuances between privacy laws will help determine how your organization should draft its privacy policy or revise its current policy.

For example, before a business collects any personal information, the CCPA/CPRA requires them to:

• Share the categories of personal information collected about consumers
• Explain why they use the categories of information
• Include a “do not sell” link if the business sells personal dataLink to their privacy policy, which must include consumers’ privacy rights and information on how to exercise them

The GDPR requires businesses to share a privacy notice in a “concise, transparent, intelligible, and easily accessible form.” The privacy notice should include:

• Why your organization process personal data, including a legal basis
• The third-party recipients, or categories of recipients, who will receive personal data
• Whether you transfer data to a different country and, if so, how it’s protected
• The amount of time data is stored or the criteria used to determine when to delete data
• Data subject rights, including the right to withdraw consent and lodge a complaint with a supervisory authority
• Whether you use an automated decision-making system, why it’s used, and the consequences of its use
• The identity and contact information for the organization, its representative, and the data protection officer
• Whether sharing personal data is required and the consequences of failing to provide it

If your business obtains data indirectly, you don’t need to include the last bullet point. However, you must disclose all of the categories of data collected.

Remember: Each law has its own disclosure requirements, so make sure to review the text of the relevant law or laws you identified in the first step. What’s more, you have to actually act on what you say in your privacy policy. In order to do that effectively, you’ll want to take an inventory of your data practices.

3. Take an inventory

Before you change anything, take stock of your current data practices. Answer the following questions:

What are your current data management practices and policies?

• How is information created or received, distributed, used, and maintained? Do you sell it or use it for targeted advertising?
• When is data deleted?

What current records does your organization hold?

• What information is personally identifiable vs. non-personally identifiable?

What is your opt-in policy?

• Are you aware of all first- and third-party cookies?
• Do you receive unambiguous consent from consumers for the use of these cookies?

Data mapping will help you understand how data is received, managed, stored, and shared. When you know where your data lives, you are better equipped to protect it.

As you evaluate your organization’s data privacy practices, pay special attention to the following risk areas:

• Operating model: How is data protected as it’s processed and stored? Are you using appropriate security measures for hosted or in-house data storage?
• Social media: What policies are in place to prevent the disclosure of sensitive data on social networks?
• Technology: Is there a policy that requires employees to use only business devices on secure networks? How are location data and hardware identifiers handled?
• Workflow: How does information flow in and out of the organization? Does everyone have access to everything, or is access to sensitive, personally identifiable information restricted?

4. Implement the right contracts

Make sure you have the proper contracts in place. For example, if you’re transferring data from the EU to the US, you’ll need to have standard contractual clauses according to the GDPR. In 2021, the European Commission issued and pre-approved 3 sets of standard contractual clauses to ensure appropriate data protection safeguards.

Under California law, you’ll need agreements in place with service providers and other third parties to ensure they’re appropriately handling the data you’re sharing with them. When the CPRA goes into effect in 2023, businesses, third parties, service providers, and contractors will be subject to new contractual requirements. The company should have a contract with third parties, service providers, and contractors that:

• Specifies that personal data is shared or sold for limited and specific purposes
• Requires the third party, service provider, or contractor to comply with CPRA regulations
• Gives the business permission to take steps to ensure the transfer of personal information is done according to CPRA requirements
• Requires the third party, service provider, or contractor to notify the business if they are unable to meet CPRA obligations
• Authorizes the business to take action to stop and rectify any unauthorized use of personal data

If a business carries out third-party or contractor transfers, it should also ensure transfers meet the requirement for “business purposes” and prohibit the service provider or contractor from:

• Selling or sharing personal data
• Retaining, using, or disclosing personal information for non-business purposes
• Retaining, using, or disclosing personal information outside the scope of the business relationship between the business and service provider or contractor

Contracts ensure that everyone you do business with understands their data privacy requirements. Protect your business and your customers’ personal data by holding everyone you work with to the standards established by data protection laws.

5. Establish how you’re handling incoming DSARs

Almost all of the major privacy laws, including all of the state laws implemented in the last few years, contain requirements for handling data subject access requests (DSARs). Is your business prepared to handle them?

When a person (or “data subject”) submits a DSAR — for any reason or no reason at all — your organization is required to respond with a copy of any information you have on the subject. Subjects can request the following:

• Confirmation that you process their personal information
• Access to the personal data you have about them
• Your legal basis for processing their data
• The amount of time you will store their data (or the criteria you’ll use to determine that period — i.e., “as long as you’re a customer”)
• Any relevant information about automated decision-making and profiling
• Any relevant information about how your organization obtained the data
• The names of any third parties who will receive a copy of their personal information

If you have data scattered across dozens or hundreds of platforms, responding to a DSAR will take time. However, if you don’t respond within 30 or 45 days (depending on the applicable law), your organization may face significant regulatory fines or penalties.

There is no “right” way to respond to a DSAR, but your company should have a plan to handle them when you receive one. The best way to prepare for a DSAR is by knowing what data you collect, where it’s stored, and why you have it.

6. Ensure engineering is following privacy by design

While a data protection officer may be the ringleader of your privacy protocols, every department should do its part to adhere to data privacy regulations. Privacy by design is an engineering principle that emphasizes implementing privacy into your products from the beginning.

It’s more than just a good idea. Article 25 of the GDPR speaks specifically to data protection by design, saying that “the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures.” According to the seven foundational principles of privacy by design, businesses should create a system that is:

• Proactive, not reactive
• Designed with privacy as the default setting
• Developed with embedded privacy features
• A win-win approach with no unnecessary tradeoffs for full functionality
• Protective of the full lifecycle of data with end-to-end encryption
• Marked by visibility and transparency
• User-centric

Start with privacy in mind to reduce your workload later and ensure compliance from the very start.

7. Perform due diligence and ongoing vendor monitoring

You may run the most compliant business in the world, but a non-compliant vendor could ruin your credibility. That’s why vendor risk monitoring is so important.

Checking your vendors’ privacy practices when you hire them isn’t enough. Continual monitoring is essential. Doing this yourself is challenging and time-consuming, but fortunately, third-party vendor monitoring solutions exist. For example, you can use Osano’s Vendor Risk Monitoring solution to:

• Assign a privacy rating to vendors according to their privacy practices
• Notify you of changes in privacy ratings
• Track data to fourth- and fifth-parties
• Alert you to vendor lawsuits that could put the vendor out of business or create a risk for your company

As you monitor your privacy practices, check in on your vendors, too. You’re responsible for the data you collect — even once it’s delivered to a third party.

8. Incorporate Feedback

A feedback loop will help your organization continuously improve its privacy program. If you or other team members discover risks — and it’s normal to find a few — don’t keep that information to yourself. Communicate your results immediately so you can make updates as soon as possible.

Use Data Discovery to Audit Your Compliance Efforts

Conducting a privacy compliance audit can feel like a monumental task. When running a business during the privacy revolution, it’s key to earning customer trust and avoiding penalties. Conducting a privacy compliance audit now can save hundreds of hours and millions of dollars in the long run.

If you’re unsure where to start, Osano’s Data Discovery is an ideal first step. It’s impossible to stay compliant if you don’t have a handle on the type of data you collect, where it resides, and how your organization uses it. Data Discovery automatically finds, classifies, and evaluates the data across your systems — in less than an hour. Osano makes it easy to search your data, so you can respond to DSAR requests and comply with data privacy regulations.

With fewer manual steps and faster time-to-results, you’ll be better able to regularly conduct a privacy compliance audit. And just as is the case with regular dentist appointments and oil changes, you’ll be setting yourself up for success in the long run.