If you’re a responsible driver, you get an oil change at least once a year. If you care about your teeth, you go to the dentist every six months. And if you want your organization to stay in compliance, you conduct an internal privacy compliance audit on a regular basis.
A privacy compliance audit is an assessment that ensures your business complies with regulations like the GDPR, CCPA/CPRA, LGDB, and more. Essentially, it’s a way to evaluate how your company keeps track of data. Government agencies can carry out these audits, but in this article, we’re giving you the information you need to conduct such an audit on your own.
We’ll discuss what a privacy compliance audit is, why it’s important, and what an auditor might look for.
In essence, a data privacy compliance audit is a way to assess your business’s current risk of noncompliance.
A privacy audit:
The resulting information reveals whether your organization complies with privacy laws like the GDPR and CCPA/CPRA. If not, the compliance audit will identify where the risk resides. Then, you’ll evaluate the technical, physical, and administrative privacy controls in place to mitigate those risks. Once complete, you can take action to make sure your privacy policies and consent management meet the latest regulatory requirements.
Getting started with your own privacy compliance audit can feel overwhelming. With this audit checklist, you can discover areas for improvement, minimize liability in case of a breach, and gain user trust by protecting their personal information.
Before beginning a compliance audit, it is essential to establish context by determining which laws apply to you. Data privacy laws vary on a state-to-state basis — and each of those laws has its own criteria for which businesses it applies to. For example, even if you run a Utah-based organization, there’s a chance you still have to comply with California’s CCPA/CPRA. If you run a California-based organization, for that matter, you may have to comply with Utah’s UCPA.
Finding out which regulations apply to your business is an important first step. And even if you aren’t subject to a given data privacy law, you might still want to implement its requirements. Doing so will ensure you’re respecting your customers’ data rights and sets you up to gain customers in that jurisdiction in the future.
While every privacy law aims to protect consumer data, they all go about it differently — that’s why it’s important to establish context by assessing your existing policy for compliance or developing one from scratch if nonexistent. And because each law has its own disclosure requirements, understanding the nuances between privacy laws will help determine how your organization should draft its privacy policy or revise its current policy.
For example, before a business collects any personal information, the CCPA/CPRA requires them to:
The GDPR requires businesses to share a privacy notice in a “concise, transparent, intelligible, and easily accessible form.” The privacy notice should include:
If your business obtains data indirectly, you don’t need to include the last bullet point. However, you must disclose all of the categories of data collected.
Remember: Each law has its own disclosure requirements, so make sure to review the text of the relevant law or laws you identified in the first step. What’s more, you have to actually act on what you say in your privacy policy. In order to do that effectively, you’ll want to take an inventory of your data practices.
Before you change anything, take stock of your current data practices. Answer the following questions:
What are your current data management practices and policies?
What current records does your organization hold?
What is your opt-in policy?
Data mapping will help you understand how data is received, managed, stored, and shared. When you know where your data lives, you are better equipped to protect it.
As you evaluate your organization’s data privacy practices, pay special attention to the following risk areas:
Make sure you have the proper contracts in place. For example, if you’re transferring data from the EU to the US, you’ll need to have standard contractual clauses according to the GDPR. In 2021, the European Commission issued and pre-approved 3 sets of standard contractual clauses to ensure appropriate data protection safeguards.
Under California law, you’ll need agreements in place with service providers and other third parties to ensure they’re appropriately handling the data you’re sharing with them. When the CPRA goes into effect in 2023, businesses, third parties, service providers, and contractors will be subject to new contractual requirements. The company should have a contract with third parties, service providers, and contractors that:
If a business carries out third-party or contractor transfers, it should also ensure transfers meet the requirement for “business purposes” and prohibit the service provider or contractor from:
Contracts ensure that everyone you do business with understands their data privacy requirements. Protect your business and your customers’ personal data by holding everyone you work with to the standards established by data protection laws.
Almost all of the major privacy laws, including all of the state laws implemented in the last few years, contain requirements for handling data subject access requests (DSARs). Is your business prepared to handle them?
When a person (or “data subject”) submits a DSAR — for any reason or no reason at all — your organization is required to respond with a copy of any information you have on the subject. Subjects can request the following:
If you have data scattered across dozens or hundreds of platforms, responding to a DSAR will take time. However, if you don’t respond within 30 or 45 days (depending on the applicable law), your organization may face significant regulatory fines or penalties.
There is no “right” way to respond to a DSAR, but your company should have a plan to handle them when you receive one. The best way to prepare for a DSAR is by knowing what data you collect, where it’s stored, and why you have it.
While a data protection officer may be the ringleader of your privacy protocols, every department should do its part to adhere to data privacy regulations. Privacy by design is an engineering principle that emphasizes implementing privacy into your products from the beginning.
It’s more than just a good idea. Article 25 of the GDPR speaks specifically to data protection by design, saying that “the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures.” According to the seven foundational principles of privacy by design, businesses should create a system that is:
Start with privacy in mind to reduce your workload later and ensure compliance from the very start.
You may run the most compliant business in the world, but a non-compliant vendor could ruin your credibility. That’s why vendor risk monitoring is so important.
Checking your vendors’ privacy practices when you hire them isn’t enough. Continual monitoring is essential. Doing this yourself is challenging and time-consuming, but fortunately, third-party vendor monitoring solutions exist. For example, you can use Osano’s Vendor Risk Monitoring solution to:
As you monitor your privacy practices, check in on your vendors, too. You’re responsible for the data you collect — even once it’s delivered to a third party.
A feedback loop will help your organization continuously improve its privacy program. If you or other team members discover risks — and it’s normal to find a few — don’t keep that information to yourself. Communicate your results immediately so you can make updates as soon as possible.
Conducting a privacy compliance audit can feel like a monumental task. When running a business during the privacy revolution, it’s key to earning customer trust and avoiding penalties. Conducting a privacy compliance audit now can save hundreds of hours and millions of dollars in the long run.
If you’re unsure where to start, Osano’s Data Discovery is an ideal first step. It’s impossible to stay compliant if you don’t have a handle on the type of data you collect, where it resides, and how your organization uses it. Data Discovery automatically finds, classifies, and evaluates the data across your systems — in less than an hour. Osano makes it easy to search your data, so you can respond to DSAR requests and comply with data privacy regulations.
With fewer manual steps and faster time-to-results, you’ll be better able to regularly conduct a privacy compliance audit. And just as is the case with regular dentist appointments and oil changes, you’ll be setting yourself up for success in the long run.