Auditing & Data Mapping

A data protection audit assesses your organisation's current practices to highlight where any compliance gaps exist, which then allows your organisation to understand what remedial actions require to be implemented to improve compliance.

A data mapping exercise allows your organisation to understand the lifecycle and flow of personal data in your organisation to allow your organisation to complete its record of processing activities and to understand where remedial actions require to be implemented. 

During a mapping exercise, we look at:

  • What personal data your organisation collects and to whom it relates
  • Why it is collected (and the legal basis applied to the processing purpose)
  • How it is collected
  • How and where it is stored
  • Who it is shared with
  • How it is destroyed (if ever!)

Why do an audit?

There are many reasons for undergoing an audit – you might be preparing your organisation for sale or investment; you may be new to data protection laws and wish to better understand what your organisation needs to do to meet compliance; or you may wish to re-assess/refresh your existing practices.

Auditing methods

While we generally recommend that face-to-face audits (with interviews) are most beneficial for clients, we can undergo an audit in any way that works best for your organisation, such as:

  1. Desktop audit: We perform the audit remotely and (i) prepare and provide a tailored questionnaire for completion by the organisation (with guidance); and (ii) review completed questionnaires, alongside any existing written policies, procedures, privacy notices and contracts.
  2. Interview audit: This involves us interviewing key personnel from the various business functions of your organisation to fully explore the flow of data in the organisation. We also attend your premises to audit the physical security (and test you visitor procedures). As part of this process, we then review the interview responses, physical security findings and all relevant documents.
  3. Tools: If you would prefer to do the audit independently, we can provide you with tailored tools to do this. We will also be on hand to assist with any specific or ad-hoc queries that you may have.

Action report and traffic-light system

Following a desktop or interview audit, we will prepare an audit report with our findings. This report includes an action plan for any remediation recommendations, which is presented as a colour coded traffic-light system to assist your organisation to prioritise its road to compliance.

Remediation recommendations

We can assist to remedy any compliance gaps identified. Please see here for further information on the other services that we can offer.

Our experience

Our Data Protection & Cyber Security lawyers have extensive experience assisting clients of varying sizes and group structures with audits and data mapping exercises.

Our clients operate in varying sectors including, for example, charities and the third sector, logistics, manufacturing, health and life sciences, media and pension schemes.

We have also assisted clients with multi-jurisdictional audits and can act as lead counsel when input is required from local solicitors (for example, to account for the derogations among the EU members states).

Latest updates from @MacRoberts