The reasons for conducting a privacy audit and the difference between confidentiality and privacy must be considered before examining details of the privacy audit methodology. Here’s how to Conduct a Privacy Audit?
Information You Collect
The first step in determining the scope of privacy auditing is to identify what and from whom you collect personal information. Personal data may be collected from:
- Employees;
- clients and customers;
- the general public; or
- Business partners.
Is your business only collecting personal information in person or online? Personal data may be collected from:
- Email;
- cookies on a website;
- communication;
- social media; and
- Document printing.
It can take a while to process a large amount of personal data. Having a clear understanding of what information your business collects, however, allows you to analyze how you handle it.
Examine your collection of personal information
Personal information must be collected in a reasonable and non-intrusive manner. In order to enhance your data collection, you need to analyze the means you are using. You collect information:
- Providing full consent;
- safely;
- only when needed;
- and legally
- providing all the information needed?
Identify where you store your personal information
It can be challenging to track personal data collected from different sources by your business. Due to this, information may be stored in multiple places, especially if you operate on both an online and offline basis.
After you identify where all your personal data is stored in your business, you need to determine whether it is secure. Security measures should be proportional to the level of sensitivity of the information, for example, if you store health information or financial details. This is also an appropriate time to get rid of old data that you don’t need anymore.
Determine who you share information with
People must be told both who you are and what you will do with their personal information when you collect it.
- You have access to their data, and
- you provide it to them.
Personal information can only be shared if:
- That’s why you collected it;
- the person consented to it;
- it is required by law; or
- The individual is not identifiable.
Especially when dealing with overseas parties, it is important to review contracts. Ensure that these contracts contain privacy safeguards.
Review Your Breach Response Plan
Especially if you lose critical personal data, a privacy breach can be devastating to your business. Having an efficient plan for handling a privacy breach can lessen the negative impact of a breach. Steps in your plan should include:
- The containment of the breach;
- assessing its potential impact;
- determining its severity;
- identifying what information was compromised; and
- informing the appropriate parties.
Identifying risks for potential breaches should be a part of your privacy audit. Those risks can then be mitigated.
Check the responses to your access requests
You can allow individuals to access and correct the personal information you hold about them. You should evaluate your privacy audit by considering:
- Respond to requests for information access;
- Assess the need for access and
- implement corrections if necessary.
- It is generally a good idea to comply with such requests.
Verify that your business has completed PIAs
An assessment of the privacy impact of a new project or change to a system at your company is called a privacy impact assessment (PIA). Whenever you deal with personal data, these audits are highly recommended. Any new project should include early identification of privacy impacts as part of the start-up process.
Review training for employees
As part of your privacy audit, you should ensure that your employees know their privacy obligations. The majority of privacy breaches are caused by human error, so make sure they know:
- Keeping their transmissions secure;
- protecting the privacy of your customers, and protecting
- each other’s privacy.
Update training and instruction manuals as necessary.