GDPR and audit – how are you managing the risk?

26th January 2018

As the deadline for GDPR implementation gets nearer, 25 May 2018, it is becoming more important for businesses to hone in on their responsibilities. The penalties for getting it wrong could be costly, with the maximum fine increasing from £500,000 under current legislation, to the higher of €20,000,000 or 4% of turnover. Not to mention the potential knock on impact to reputation and business.

According to a recent survey of 200 businesses, just 6% said they were ready for GDPR whilst almost 50% said they knew what it was but hadn’t started preparations. Statutory financial statement audits are all about risk, and a key part of the audit process is not the risks themselves, but how management acts to mitigate those risks. As with any changes in laws and regulations, the introduction of GDPR brings with it an increased risk of non-compliance than would have been expected with the previous, familiar data protection legislation.

The important thing to remember is that there is no “one-size-fits-all” solution. Data controllers, the entity that determines the purposes, conditions and means of the processing of personal data, perform all sorts of tasks and data is used for different purposes within different organisations. Each business’ responsibility is different, and, it doesn’t matter how large the business is, there will need to be appropriate measures in place to show compliance.

Enquires into compliance with laws and regulations has long been a part of conducting an audit, and going forward, GDPR will be on the list for every business. In the event of external scrutiny, every business will need to be able demonstrate that it has taken appropriate steps to comply with the new law, but audited businesses will also need to demonstrate that to their auditor.

If your business undergoes a regular statutory audit, then some of the things you might be asked to demonstrate are:

• Employment contract clauses – there will need to be a section on data protection.
• International business cases – if you’re based outside of the EU, but trade into an EU country, then you must also be GDPR compliant, even if that trade is free of charge.
• Data processors – if you outsource parts of your business to a third party, perhaps payroll, the responsibility is on you to check that the third party has an appropriate data protection policy.
• IT systems and websites – GDPR requires regular penetration testing to be carried out to assess how well your systems can stand up to malicious hacking.

The Information Commissioners Office (ICO) predict that after GDPR comes into force, there will be hundreds of thousands of data breach cases reported to the ICO each year – at the moment this is around 2,500.

Honda, Flybe and Morrisons are a few well-known examples who have been fined for breaking the rules, but they were caught out somewhat unwittingly. In preparation for the GDPR regulations, they were contacting customers to ask about keeping records and contacting them following the GDPR regulation.

It may seem like a side-line issue for an audit, but every part of the business’ activities helps to form an audit’s overall risk assessment, so it’s vital that management is giving every part of their business, due care and attention.

If you would like more information, contact the audit team at Wilkins Kennedy to see how we can help.

By Jon Brand, Wilkins Kennedy