Discussing what businesses can do to ensure they’re GDPR compliant, this week, we look at the importance of an audit trail.
To recap, in our previous GDPR doctors feature, Neil Larkins, COO of Egress Software Technologies explained whether GDPR is down to people or technology and prior to that, he broke down the basics of the new legislation and what it means.
Leading to the discussion of the audit trail, we received the question below, which Larkins has gone on to answer:
We have about 50 employees and most of them handle customer data as part of their role. I understand that, if there is any kind of incident, we’ll need to be able to quickly tell what happened. What kind of information are we expected to keep track off? Is there any advice on the best way to do that without it requiring entirely new processes that everyone will need to learn?
The answer to this question is relatively straightforward – you will want to keep a forensic copy of all communications in and out of your organisation. How you do this, is slightly more complicated, but not something to panic about.
First and foremost, there are several reasons that having a comprehensive audit trail is important. Within the GDPR it states that data controllers will need to “be able to demonstrate…compliance with the [principles relating to processing of personal data]”.
Clearly, without having a record of how the data has been handled, it will be almost impossible to demonstrate compliance. In addition, the new regulations stipulate that, if there is a data breach, it must be disclosed to the relevant authorities within 72 hours.
Without having a complete and up-to-date recorded audit trail of who has accessed what information, when it was accessed, how it was handled and so on, there is a risk of missing that deadline.
Outside of specific regulatory changes there is also the perpetual “people problem” that needs to be considered. We recently conducted some research which revealed that one in ten UK workers had accidentally sent sensitive attachments – such as bank details or customer information – to the wrong person.
Worse still it found that half of employees had or would delete emails from their sent folder if they had sent information somewhere they shouldn’t. This is precisely the sort of scenario that makes keeping track of all information in and out of the business is crucial.
One of the first rules to GDPR compliance is don’t assume. Don’t assume that you have a copy of everything, review your current procedures and how data is handled – for example, do you keep forensic copies of emails sent and received?
Do you have records of who has accessed system folders? Can you easily recall the time, location and device files have been accessed from?
These are the kinds of things you will want to make sure you have a record of in an audit trail – and if you have one covered already, don’t assume they all are.
It’s likely that you are going to need to implement new technology and processes to ensure an audit trail is robust. Not only will this provide good evidence of your attempt to comply, but will also automate the process and negate the age-old human error issue.
The more transparent you are when dealing with regulatory authorities, the more favourably they will look upon you. The kind of technology you need to implement will depend on your business and your current situation but, at a minimum, you will need to keep track of all emails and access logs for the documents within your systems for the audit trail.
This doesn’t have to be an onerous task. There are a huge number of options available and you may well find that your existing technology providers can help.
You may also find that there are further benefits of implementing new technology – for example, by implementing a solution to keep a log of all emails sent, you may find you’re also provided with a solution that works to prevent employees from sending the wrong emails in the first place.
And, as you’ll hear me say time and time again, the more employees are adequately trained in handling data securely, the less risk there is to your organisation.
Create new training programmes and policies, effectively outlining the best practices for avoiding mistakes and ensure that all new employees are given the same training at induction.
Accidents may still happen, but taking steps to minimise the risk and keep track of what data goes where could make all the difference should your GDPR compliance comes under scrutiny.
If you have burning GDPR questions that you’d like answered, please send them to Zen.Terrelonge@realbusiness.co.uk and we’ll get these answered for you.
GDPR doctor Neil Larkins co-founded Egress Software Technologies in 2007 and currently serves as chief operations officer, playing an instrumental role in shaping the strategic direction of the business, with particular emphasis on product and service development.