Data Protection Health Check

1. How can a Data Protection Health Check help with UK GDPR compliance?

The Data Protection Health Check will help identify gaps in your current compliance regime and areas of risk with your current use/treatment of data. It will also act as a backstop to show (should you need to) that you have taken data protection compliance seriously and sought professional advice to aid in your efforts to protect personal data and comply with your legal obligations.

2. What does a data protection health check include?

The Data Protection Health Check includes an overview of your regulatory compliance, a high-level data mapping exercise and a report on areas of risk and potential non-compliance, together with prioritised remediation plan.  

3. What is the difference between a GDPR Health Check and a GDPR audit?

The key difference is the scope and depth of the review of what is happening with personal data and what exactly is in place from a compliance standpoint. An audit is a more detailed process which looks to delve into exactly what is happening to all personal data, where it goes, how it is protected and how all of that is documented – which means it is a lot more time consuming and therefore costly. A health check is a higher-level review and does not involve integration as to what happens to all data, but it is aimed at identifying risks and gaps that can then be resolved.

Which is most beneficial depends on what you already have in place and the nature of your business. For example, a business that is not personal data heavy is unlikely to need a full audit to achieve a good level of compliance. Likewise a business that maybe did have an audit but quite a few years ago, probably doesn’t need another full audit (unless the business has substantially changed) but could do with a review to identify issues that have crept in since or areas that could be improved upon.

4. How often should we review our data protection compliance?

A good rule of thumb is to undertake an annual review, coupled with processes to deal with any significant changes that may occur in between (such as appointing a new processor or changing the data you typically collect). Of course, this does not need to be a full audit on an annual basis but it is good practice to diarise to review what you have in place and whether it needs to be updated. Such reviews are typically easier and shorter the better your starting point was in the first place!

5. Does the Health Check cover PECR and marketing compliance?

PECR is heavily intertwined with GDPR compliance and so it will be given consideration as part of the Health Check. Potentially, if issues are identified with PECR compliance, the remedial plan might require further advice and/or investigation, or it might be clear on the face of it what needs to happen (for example, are opt-outs being included on all direct marketing and are consents being properly tracked).

• We conducted a full data audit of an English University including an analysis of all current data protection processes, procedures and policies in a complex data environment and including student, staff, third party, alumni data as well as data used for research purposes and international data sharing. The University was provided with a comprehensive report detailing its current data flows as well as recommended actions on a ‘RAG’ basis (Red, Amber, and Green for priority).
• We carried out a data audit for a UK subsidiary of an overseas company including interviewing staff from all key stakeholder departments, reviewing policies and producing an audit report identifying areas for improvement and those which required urgent attention.
• We conducted a mini data audit of a small business in the food and beverage sector, including providing a questionnaire for completion by the client, a meeting to discuss the questionnaire responses and obtain further insight into the client’s data protection practices, followed by a report outlining our findings and recommendations,