What is a privacy compliance audit?In essence, a data privacy compliance audit is a way to assess your business’s current risk of noncompliance.
A privacy audit:
- Assesses a business’s privacy protection policies and procedures
- Checks for the use of first-party and third-party cookies
- Investigates third-party requests to collect and share data
How to conduct an internal compliance auditGetting started with your own privacy compliance audit can feel overwhelming. With this audit checklist, you can discover areas for improvement, minimize liability in case of a breach, and gain user trust by protecting their personal information.
1. Establish contextBefore beginning a compliance audit, it is essential to establish context by determining which laws apply to you. Data privacy laws vary on a state-to-state basis — and each of those laws has its own criteria for which businesses it applies to. For example, even if you run a Utah-based organization, there’s a chance you still have to comply with California’s CCPA/CPRA. If you run a California-based organization, for that matter, you may have to comply with Utah’s UCPA.
Finding out which regulations apply to your business is an important first step. And even if you aren’t subject to a given data privacy law, you might still want to implement its requirements. Doing so will ensure you’re respecting your customers’ data rights and sets you up to gain customers in that jurisdiction in the future.
For example, before a business collects any personal information, the CCPA/CPRA requires them to:
- Share the categories of personal information collected about consumers
- Explain why they use the categories of information
- Why your organization process personal data, including a legal basis
- The third-party recipients, or categories of recipients, who will receive personal data
- Whether you transfer data to a different country and, if so, how it’s protected
- The amount of time data is stored or the criteria used to determine when to delete data
- Data subject rights, including the right to withdraw consent and lodge a complaint with a supervisory authority
- Whether you use an automated decision-making system, why it’s used, and the consequences of its use
- The identity and contact information for the organization, its representative, and the data protection officer
- Whether sharing personal data is required and the consequences of failing to provide it
3. Take an inventoryBefore you change anything, take stock of your current data practices. Answer the following questions:
- What are your current data management practices and policies?
- How is information created or received, distributed, used, and maintained? Do you sell it or use it for targeted advertising?
- When is data deleted?
- What current records does your organization hold?
- What information is personally identifiable vs. non-personally identifiable?
- What is your opt-in policy?
- Are you aware of all first- and third-party cookies?
- Do you receive unambiguous consent from consumers for the use of these cookies?
As you evaluate your organization’s data privacy practices, pay special attention to the following risk areas:
- Operating model: How is data protected as it’s processed and stored? Are you using appropriate security measures for hosted or in-house data storage?
- Social media: What policies are in place to prevent the disclosure of sensitive data on social networks?
- Technology: Is there a policy that requires employees to use only business devices on secure networks? How are location data and hardware identifiers handled?
- Workflow: How does information flow in and out of the organization? Does everyone have access to everything, or is access to sensitive, personally identifiable information restricted?
4. Implement the right contractsMake sure you have the proper contracts in place. For example, if you’re transferring data from the EU to the US, you’ll need to have standard contractual clauses according to the GDPR. In 2021, the European Commission issued and pre-approved 3 sets of standard contractual clauses to ensure appropriate data protection safeguards.
Under California law, you’ll need agreements in place with service providers and other third parties to ensure they’re appropriately handling the data you’re sharing with them. When the CPRA goes into effect in 2023, businesses, third parties, service providers, and contractors will be subject to new contractual requirements. The company should have a contract with third parties, service providers, and contractors that:
- Specifies that personal data is shared or sold for limited and specific purposes
- Requires the third party, service provider, or contractor to comply with CPRA regulations
- Gives the business permission to take steps to ensure the transfer of personal information is done according to CPRA requirements
- Requires the third party, service provider, or contractor to notify the business if they are unable to meet CPRA obligations
- Authorizes the business to take action to stop and rectify any unauthorized use of personal data
- Selling or sharing personal data
- Retaining, using, or disclosing personal information for non-business purposes
- Retaining, using, or disclosing personal information outside the scope of the business relationship between the business and service provider or contractor
5. Establish how you’re handling incoming DSARsAlmost all of the major privacy laws, including all of the state laws implemented in the last few years, contain requirements for handling data subject access requests (DSARs). Is your business prepared to handle them?
When a person (or “data subject”) submits a DSAR — for any reason or no reason at all — your organization is required to respond with a copy of any information you have on the subject. Subjects can request the following:
- Confirmation that you process their personal information
- Access to the personal data you have about them
- Your legal basis for processing their data
- The amount of time you will store their data (or the criteria you’ll use to determine that period — i.e., “as long as you’re a customer”)
- Any relevant information about automated decision-making and profiling
- Any relevant information about how your organization obtained the data
- The names of any third parties who will receive a copy of their personal information
There is no “right” way to respond to a DSAR, but your company should have a plan to handle them when you receive one. The best way to prepare for a DSAR is by knowing what data you collect, where it’s stored, and why you have it.
6. Ensure engineering is following privacy by designWhile a data protection officer may be the ringleader of your privacy protocols, every department should do its part to adhere to data privacy regulations. Privacy by design is an engineering principle that emphasizes implementing privacy into your products from the beginning.
It’s more than just a good idea. Article 25 of the GDPR speaks specifically to data protection by design, saying that “the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures.” According to the seven foundational principles of privacy by design, businesses should create a system that is:
- Proactive, not reactive
- Designed with privacy as the default setting
- Developed with embedded privacy features
- A win-win approach with no unnecessary tradeoffs for full functionality
- Protective of the full lifecycle of data with end-to-end encryption
- Marked by visibility and transparency
7. Perform due diligence and ongoing vendor monitoringYou may run the most compliant business in the world, but a non-compliant vendor could ruin your credibility. That’s why vendor risk monitoring is so important.
Checking your vendors’ privacy practices when you hire them isn’t enough. Continual monitoring is essential. Doing this yourself is challenging and time-consuming, but fortunately, third-party vendor monitoring solutions exist. For example, you can use Osano’s Vendor Risk Monitoring solution to:
- Assign a privacy rating to vendors according to their privacy practices
- Notify you of changes in privacy ratings
- Track data to fourth- and fifth-parties
- Alert you to vendor lawsuits that could put the vendor out of business or create a risk for your company
8. Incorporate FeedbackA feedback loop will help your organization continuously improve its privacy program. If you or other team members discover risks — and it’s normal to find a few — don’t keep that information to yourself. Communicate your results immediately so you can make updates as soon as possible.
Use Data Discovery to audit your compliance effortsConducting a privacy compliance audit can feel like a monumental task. When running a business during the privacy revolution, it’s key to earning customer trust and avoiding penalties. Conducting a privacy compliance audit now can save hundreds of hours and millions of dollars in the long run.
If you’re unsure where to start, Osano’s Data Discovery is an ideal first step. It’s impossible to stay compliant if you don’t have a handle on the type of data you collect, where it resides, and how your organization uses it. Data Discovery automatically finds, classifies, and evaluates the data across your systems — in less than an hour. Osano makes it easy to search your data, so you can respond to DSAR requests and comply with data privacy regulations.
With fewer manual steps and faster time-to-results, you’ll be better able to regularly conduct a privacy compliance audit. And just as is the case with regular dentist appointments and oil changes, you’ll be setting yourself up for success in the long run.