Search

How can we help?

Privacy and Data Protection

Audits

 

Audits help organisations to understand and meet their data protection obligations. The audit will check the effectiveness of controls in place and look at the suitability of your policies and procedures.

Our lawyers can conduct a full compliance privacy health check of your business including a review of any technical and organisational measures employed, providing clear and practical recommendations.

“Very professional, knowledgeable and accessible lawyers.” 

Chambers and Partners

FAQs – Audits

A data protection audit assists a business in understanding what personal data the organisation collects and processes. It is carried out to ascertain if the organisation is compliant with the data protection laws and it will usually assess the organisation’s procedures, systems, records and activities.

In order to:

  • Make sure the appropriate policies and procedures are in place.
  • Confirm if those policies and procedures are being followed and enforced.
  • Evaluate the effectiveness of existing controls.
  • Identity actual or suspected breaches of compliance.
  • Suggest any necessary improvement to control, policies and procedures.

The UK GDPR includes an accountability principle which requires a controller to demonstrate compliance with the data protection principles of the UK GDPR. An audit is one of the ways in which a controller can demonstrate accountability. Although the UK GDPR does not directly apply to processors, both controllers and processors have compliance obligations and an audit is one of the ways which can demonstrate compliance.

This depends on the size and complexity of the organisation. At minimum, a data protection audit should be performed once each year. If there are several areas that need to be improved, you should consider working on those areas more regularly until the organisation is confident that it is compliant with the data protection regulation.

In summary, the data protection audit is likely to cover governance and accountability; security measures in place; whether data is transferred outside the UK and arrangements for such transfers; and whether there are procedures for data subjects’ rights, amongst other areas. The nature of the audit will depend on the specific organisation and method of audit.

If the organisation has a data protection officer (DPO), they will likely oversee the audit. If the organisation has no DPO or Compliance Manager, then the business must select an auditor. The auditor will then decide whether to use a customised questionnaire audit or conduct a personal interview or a blend of both methods.

Key contacts

Read, listen and watch our latest insights

art
  • 04 December 2023
  • Privacy and Data Protection

The UK-US data bridge for transfers of personal data – Melanie Pimenta writes for Business Voice magazine

In Business Voice magazine, Melanie Pimenta, Senior Solicitor at Clarkslegal writes that transferring data can be a tricky business and the risks of getting it wrong can be costly both reputationally and financially.

Pub
  • 21 November 2023
  • Privacy and Data Protection

Privacy matters: How the 8 data subject rights protect personal data

In this guide we explore the 8 data subject rights under the UK GDPR and discover how they play a vital role in preserving your organisation’s privacy standards in an increasingly interconnected world.

Pub
  • 21 November 2023
  • Privacy and Data Protection

Overview of Data Subject Access Requests

In recent months, we have witnessed a series of high-profile data breaches that have brought data protection issues to the forefront of the public’s mind and with this comes an increase in Data Subject Access Requests (DSARs).

art
  • 17 November 2023
  • Corporate and M&A

Should AI delete humans out of the legal sphere?

AI could potentially streamline routine legal tasks. However, there are consequences to consider when it comes to AI in the legal sphere.

art
  • 15 November 2023
  • Privacy and Data Protection

Can an employer monitor employees at work?

This brings up the question of whether an employer can lawfully monitor their employee, without their knowledge, if they suspect wrongdoing?

art
  • 30 October 2023
  • Privacy and Data Protection

New UK-US data bridge for transfers of personal data

A new data bridge, which is an extension of the EU-US Data Privacy Framework (“the DPF”), will enable UK businesses to transfer personal data to certified US organisations without the requirement of having the usual safeguards in place or performing a transfer risk assessment.