GDPR Processing Audit and Records

A data processing audit is a in-depth assessment were our certified data protection experts inspect every data processing activity that your organisation undertakes. Once a data processing audit is completed, Symmetry provide a comprehensive report (Records of Processing Activities) on each data processing activity including but not limited to: analysis of data and data subject types, purposes and legal basis for processing, third party relationships and technical and organisational measures. The Records of Processing Activities report which includes risk analysis and DPIA screening is a live document and can be modified and maintained by the appointed Data Protection Officer going forward.

The data processing audit will be specifically tailored to your organisation’s particular requirements, but will usually involve reviewing:

• Whether there are relevant and appropriate data protection policies and procedures in place and what changes will be required;
• What categories of data are processed by the organisation and the legal basis for processing;
• Whether privacy impact assessments will be needed for specific ‘high risk’ areas;
• What Privacy Notices are in place and what amendments will be necessary in order to comply with the new information requirements; Comprehension of data protection responsibility, knowledge and training;
• How the organisation would deal with data subjects’ rights in relation to access, rectification and erasure;
• Practices surrounding data accuracy and retention;
• Security of personal data – assessing whether the organisation has appropriate technical and organisational measures in place to ensure adequate security;
• The legal basis for cross border data transfers, if applicable;
• Data sharing with third parties.

The data processing audit will be specifically tailored to your organisation’s particular requirements, but will usually involve reviewing:

• Whether there are relevant and appropriate data protection policies and procedures in place and what changes will be required;
• What categories of data are processed by the organisation and the legal basis for processing;
• Whether privacy impact assessments will be needed for specific ‘high risk’ areas;
• What Privacy Notices are in place and what amendments will be necessary in order to comply with the new information requirements; Comprehension of data protection responsibility, knowledge and training;
• How the organisation would deal with data subjects’ rights in relation to access, rectification and erasure;
• Practices surrounding data accuracy and retention;
• Security of personal data – assessing whether the organisation has appropriate technical and organisational measures in place to ensure adequate security;
• The legal basis for cross border data transfers, if applicable;
• Data sharing with third parties.