Most companies will have many 10s or even 100s of business processes that involve personal data. Whilst all of these processes must comply with the GDPR, some processes will carry a higher risk than others. Processes involving large quantities of personal data, financial information, criminal data, or special category data (health information, sexual orientation, ethinicity, etc.) have the potential to cause more harm to both your data subjects and your business.
Due to the delicate nature of these higher risk processes, a diligent organisation will want to have reassurance that these processes are compliant with the GDPR.
Tacita's 'Targeted Process Audit' is designed to give you the confidence that your high risk process has been assessed by a GDPR expert and is using industry best practice protections.
Targeted Process Audits are ideal for:
Existing High Risk Processes
Higher risk processes need more scrutiny than standard ones. Hiring a GDPR expert to analyse your process is the best way to ensure compliance.
Non-standard or Complex GDPR Processes
Some processes involving personal data are complex. You can rely on the experience of Tacita's GDPR compliance experts to answer your difficult queries.
New Projects involving Personal Data
If you are considering starting a new process, Tacita's Targeted Process Audit can help you design it in a GDPR compliant manner.
What are the Benefits of a Targeted Process Audit?
Hiring GDPR experts to assess your high risk processes has several benefits:
- Your assessor will recommend industry best practice data protections.
- You gain reassurance that your high risk activities are compliant with the GDPR.
- In the unfortunate event of a data breach occurring, you may be investigated by an authority. An external Targeted Process Audit gives you written evidence that you made every effort to protect the personal data in your high risk process.
How Does a Targeted Process Audit Work?
Step 1 - Process Identification
The client will review its business processes that involve personal data and will select those that it considers as key or high risk processes. A few example of key/high risk processes:
- A company’s main employee process for managing payroll or contracts.
- Processes involving financial data.
- Processes involving special category data.
- Processes involving large amounts of customer personal data.
- Processes involving personal data that is done automatically or uses profiling.
Additional processes that a company may wish to check are best practice:
- Data breach process.
- Subject access request process.
Step 2 - Process owner Identification
The client identifies a single named owner of that key/high risk process. This person is called a Business Process Owner (BPO). The BPO should be directly involved in the project and have a good understanding of how the process works. The BPO should also have sufficient seniority to make changes to the process.
Step 3 - Detailed Audit of the Key Process
Tacita will then virtually meet with the BPO and take them through a highly detailed audit of their process. The audit will investigate how the client manages and protects the use of personal information within that specific process.
Step 4 - Report
Tacita will provide the client with the current status of the key/high risk process and whether it can be considered as compliant with GDPR. If issues or gaps are found, then a set of recommended actions would be provided.
Step 5 - Implementation of Recommendations (Optional)
Tacita can provide assistance with implementing the recommended measures in your organisation. This can be in the form of training, implementation of key documents, writing tailored procedures and/or policies, etc.