No one likes an audit. Everyone wants to get through them as fast as possible, and hopes things are not picked up. Yet audits are very important to business process, and privacy compliance is no different. Why? They provide the necessary check to make sure your intentions are actually being executed in practice, and intelligence to enable adjustments.
This message should come as no surprise. Non-financial audits are BAU for big organisations, and common even for many small ones.
Privacy or data-related audits are rarer though. Privacy risks are relatively new to many organisations, and even if recognised, the organisation may not be mature enough in its privacy approach to have imposed related audit checks.
An audit can have real benefit. Privacy compliance is often heavily based on policies and related training. A periodic audit is often the only way of being able to tell whether those policies and training are actually working.
In our experience privacy audits are doubly vital because all too frequently privacy issues fall into an awkward middle ground of being important, but not amongst the most important of risks (although this trend seems to be changing). With this profile, day to day attention to detail often slips, leadership on issues can wane, and over time a promising management system can be eroded, leaving privacy policies and training hanging.
The rise and rise of technology is also a complicating factor. Even the greatest of privacy management systems are being strained by the pace of technological change and in particular the current rush to look closely at what data you have and how it can be mined/enriched/sliced/shared/used effectively for greater business value. In our experience, many organisations are tempted to sweep existing controls and processes under the carpet when presented with such potentially great opportunities.
If you think your privacy policies might now be residing under the carpet, or just have become stale, remember that the UK government regulator, the Information Commissioner's Office, won't look at you sympathetically. It has recently cited an organisation's lack of effective policy implementation checks as a factor in its decision to levy a fine for breach of the Data Protection Act 1998.
So unleash your auditors periodically and get your privacy systems and processes checked out.
You might be pleasantly surprised by what you find, and even if you aren't, to be forewarned is to be forearmed. It is always better to know you have issues and be able to sort them in your own time, than to be resolving them following a substantive breach.This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.