Linkedin-in Facebook-f Twitter
SUPPORT
LOG IN
SUPPORT
LOG IN

Global Charity – Data Protection and Information Security Audit

INTRODUCTION

Our client is a global educational charity providing individuals around the world with the tools to attend prestigious higher educational institutions. For over 100 years, our client has developed a reputation as one of the best educational charities. In the last few years, our client has partnered with other international organisations to create more opportunities for individuals from different demographics.  

DPAS were asked to help our client understand how they can improve their compliance with the relevant data protection legislation. The goal of the project was to analyse the current compliance position, and provide recommendations as to how to improve their compliance across the partnerships. DPAS conducted a thorough audit assessment, providing a high-level overview, alongside detailed supporting reports, to provide the client with a full evaluation of the existing compliance, current risks, remedial work required and areas for improvement.

BACKGROUND

It is a requirement for organisations to be compliant with the General Data Protection Regulation (GDPR), Privacy and Electronic Communications Regulations (PECR), the Data Protection Act 2018 (DPA 2018) and other relevant laws. The scope of our client’s global operations which includes many international transfers presented a challenge to achieving data protection compliance. The complex partnerships with external organisations further added to this challenge. As such, our client required our assistance to examine their organisational compliance in respect of their independent processing activities, as well as the joint processing activities with partner organisations. 

Our client demonstrated a notable appetite to improve compliance and is actively improving their processes, so this audit was useful to understand what is necessary to further improve compliance within their data protection and information security practices. In addition, our client wanted to understand how they can equip their employees with the required resources and knowledge to embed and support their compliance journey, and to ensure consistency in dealing with data protection issues across the organisation.

ANALYSIS

Together with the client, DPAS identified that the scale of the project would require five separate compliance audits to provide a complete picture of the organisation’s data protection compliance. The legislation requires organisations to demonstrate compliance, and audits help to display that data protection is a priority. DPAS conducted an audit to determine if our client’s current arrangements meet the requirements of the law.

The scope of the audit was structured into various sections. These are:  

  • Governance and Accountability.
  • Training and Awareness.
  • Records management.
  • Security of personal data.
  • Subject Access Requests and Individuals’ Rights.
  • Data Sharing.
  • Information Risk Assessment (DPIA) and Management.
  • Direct Marketing.

Due to the geographical reach of the client’s organisation, we conducted an offsite audit to minimise disruption. Initially, DPAS conducted a fact finding survey via a short online pre-audit questionnaire to help identify the appropriate stakeholders and to identify any significant compliance gaps early in the project. 

In addition to the survey, DPAS completed a high-level review of our client’s accountability documentation including their current procedures and policies and a list of systems in place. This high-level review allowed DPAS to identify any initial risks and discuss any documentation in further detail during the online interviews.

Once, the correct stakeholders were identified, DPAS conducted online interviews via video meetings with each stakeholder to answer questions relating to each section, identified above. The information gathered from online interviews, and the high-level review of existing documentation, informed the completion of DPAS’s Audit Compliance Tracker to determine our client’s current level of compliance.

After the information-gathering stages of the audit, DPAS produced in-depth audit reports which detail the current processes, and how well they meet the standards dictated by law. Within the reports, DPAS highlighted high-risk areas, and offered remedial advice to lower the risk scores. Additionally, DPAS provided a high-level summary, to be provided to the Board, that included an action plan.

The audit was led by some of DPAS’s in-house experts, which allowed the client to have complete confidence in the delivery of a large-scale project, and took pressure off of the organisation when there are limited resources, and expertise, internally. Consequently, this allowed for tailored advice, from industry experts, which covered recommendations on best practices, risk management, and further remedial advice that can be incorporated into the organisation’s strategic planning.      

RESULTS

Working with independent experts our client was able to independently assess their compliance with the legislation beyond what was previously understood. Being an independent auditor, DPAS was able to deliver an impartial assessment of any compliance gaps the client had and offer independent advice on how to resolve them. Since the audit was completed entirely offsite, DPAS minimised disruption to the client’s organisation and the partnerships. 

The audit helped raise awareness of data protection and the importance of compliance with all the key stakeholders Our client was also able to use the detailed reports that DPAS developed within board meetings to demonstrate their organisation’s commitment to data protection. In addition to building a business case for improved and compliant collaboration with their partner organisations.

“We were looking for an independent review and audit of our data processing activities and policies across the organisation and our partner programmes. When we went to the market DPAS impressed us with the breadth and depth of the services they offered. We are a relatively complex organisation, the DPAS team quickly understood how the our work fits together, and throughout the audit process I’ve appreciated the expertise of each member of the team that we’ve worked with. Their advice throughout has been reassuringly thorough, pragmatic and tailored to our needs.”

CONCLUSION

Through the successful delivery of this project, we improved our client’s understanding of their current compliance score and how they can improve their compliance with bespoke detailed reports for each partnership and business area. Our client was also provided with the tools and a tailored road map to support our client’s ongoing journey with compliance. 

After the successful completion of the audit, our client retained our services to help them with the remedial actions, identified through the audit, to create a strong foundation for ongoing compliance. 

For further information on how we can help improve data security and compliance with our audit services within your organisation, get in touch with the DPAS team today on 0203 301 3384 or info@dataprivacyadvisory.com 

sign up

Want to receive a copy of our monthly Data Protection newsletter and news from the DPAS team?

CONTACT US

Contact us now for a friendly, no-obligation discussion or to request more information about our wide range of strategy, compliance and training services. We’re in London, Devon and the North East and we work both nationally and internationally.

Before you submit a contact form, please have a read of our privacy notice which will tell you what we’ll do with your personal data.

You can now also schedule a call with us at a time that’s convenient for you. Just click on the button below and select the time and date you want.

 

Book Your Call
Footer logo

Helping organisations access the value of their data, create a vision, embed the change and build the future.

QUICK LINKS

WHAT WE DO

COMPANY POLICIES

contact info

Please note all information on this website is for your help and guidance. It should not be regarded as an authoritative or definitive statement of the law.

footer logos