GDPR Audit report for Master International and METIS

Right now, many companies with business in Europe are racing against the clock in order to prepare for the 25th of May when the GDPR (EU General Data Protection Regulation) will finally be in effect. Even after the cut, many companies will still struggle to live up to their new obligations including providing proof and certainty for their customers.

Master International and the Metis assessment platform have been audited by Deloitte for exactly the above purpose. Below I share my view of how a report like this fits in with the overall GDPR preparation and commitment. The aim is to explain what relevance an audit report has when choosing providers, and maybe provide some input if you are a data controller or data processor considering having your own company audited for compliance. 

I will look at GDPR commitment as a number of maturity levels. This is not a standard or approved scale of measurement – this is my personal, simplified model:

LEVEL 1

The very basics of the GDPR are that any company collecting or storing personal data from EU citizens is a Data Controller, and legally responsible for what the data is used for, and that it is not disclosed to anyone else, intentionally or unintentionally. This is by law and cannot be waivered or transferred to someone else.
Level 1 is being legally responsible, and it is mandatory for being in business after May 25th.

LEVEL 2

In effect, a company cannot reliably claim to take on the responsibility of the GDPR unless the efforts, and the mitigation of risk can be documented. That means that your internal handling of personal data must be described, documented and verified, and that your employees must be educated in the GDPR and data protection. Thorough process descriptions and security guidelines followed up by internal audits are a minimum.
Level 2 is to have documented and verified control of internal processes related to the use and handling of personal data.

LEVEL 3

Most companies rely partly on third party systems or services to process or store data. Since the company, as a data controller, still has the full responsibility for the data, they must commit any provider of services and systems to also take on this same responsibility on their behalf. The provider becomes a Data Processor, and the legal setup for this is controlled by a Data Processor Agreement (DPA). There are strict rules for what a GDPR compliant DPA must contain. A DPA that is kept very close to the legal requirements in words and intent is preferred whenever possible, to make it simple to verify and communicate compliance.
Level 3 is for data processors to have standardized, to-the-point DPA contracts readily available, and for data controllers to use only data processors that have that. 

LEVEL 4

Even with the DPA in place, it is still the responsibility of the company to continuously make sure that their providers are living up to the requirements for protecting personal data. How do you check that a provider takes “necessary technical and organizational measures” to be trusted with the data, you are responsible for? This potentially involves lawyers, consultants and regular inspections of physical premises and security documentation.
No matter how, Level 4 is for responsible data controllers taking actions to assess the quality and reliability of their data processors.

LEVEL 5

Companies that are data controllers must prove and document that they comply to the GDPR, and that their system and service providers as data processors do the same. External audit authorities are specialists in verifying that processes, systems and control procedures are in place and live up to given requirements. A successfully completed audit, and an audit report to document the efforts, is the simplest way to prove that you have made sure that your providers are secure and compliant.

Level 5 is for choosing data processors audited by external professionals, and maybe even take steps to have your own company audited as well.

What do you gain from an external audit?

Reaching the point where all systems and processes are thoroughly documented and verified, employees are educated in GDPR, and extensive control procedures are in place for completing an external audit, is a huge and very costly job for any organization. For a system provider - data processor - an external audit report is an excellent way of proving your commitment to GDPR and to have verified by experts that you live up to your obligations. If you provide services or systems, or a full software-as-a-service platform like our Metis platform, getting audited may not be a requirement, but the benefits for your business stretch far beyond showing an audit report to your customers: Even for a streamlined and very security-aware organization like ours, the extensive work and investment in preparing and going through the external audit has been a great internal benefit in terms of awareness and commitment. We even extended the number of audit controls to include non-mandatory areas, to make sure that for example software development and the functionality of our software were also covered. Knowing that we will have to pass the audit annually moving forward, keeps employees at all levels aware and committed so that data protection continues to be at the core of everything we do.

Background

Master International is the company developing and running the Metis digital assessment platform, providing professional HR assessments and tests as software-as-a-service for companies worldwide. We started preparing the organization and our software platform for the GDPR more than one and a half year ago, working with legal specialists Plesner and audit professionals Deloitte.