Has anyone had the misfortune of cracking a joke with the examiner during your driving test? I did, many moons ago, when I had to negotiate some serious roadworks on my test route. The reaction was less than encouraging. In fact, I thought I had failed there and then for breaking the “driving is a serious business” rule of the road.
When I think of traditional data protection audits, I get driving test flashbacks. Its serious business.
Just the word audit strikes fear into the heart of most of us. My image of auditors* is of serious, grey-suited people who seem to have no sense of humour – or if they have its been well trained out of them. Cracking a joke with them gets the same kind of response you get from US Immigration control officials when you tell them they will have to sign an NDA for you to tell them the reason for your business trip. (Yes, I did that once and only once!). Audits are great at pointing out flaws but offer no constructive advice to the organisation to address those flaws. Nor do they clearly identify the outcome for the organisation of addressing the audit findings – other than the ability to pass the next audit.
But audits don’t have to be all pain and no fun. Enter a different type of audit – a Maturity Model Audit. This is an audit that is designed to be non-judgemental and to be helpful at the same time.
The approach is to take 10 areas of data protection compliance activity and decide what are the key areas that your business needs to get right. Then we objectively measure how well your business is currently performing in these key areas against 5 levels of maturity. We have a discussion about your desired maturity level which can be different depending on the type of processing carried out and the risk profile of the organisation. The auditor can then identify the gaps between where you are today(objectively measured) and where you desire to be.
The outcome for you? You get an objective measure of where you are, you get to set realistic organisational goals and you get the steps you need to take to get you from where you are to where you want to be.
There are unexpected benefits also to this Maturity Model approach to data protection audits:
- Control. The organisation is in the driving seat – making the key decisions about the areas of activity that are important to you based on your knowledge of your business.
- Clarity. You know exactly where you are weak and strong and you understand what you need to do to get you to where you want to be.
- Tailored. There is no one size fits all when it comes to data protection compliance. So a one size fits all approach to auditing compliance cannot be optimised to suit every organisation and every situation. The ability to tailor an audit to each organisation delivers focus and relevance.
- Support. Many DPOs struggle to gain support in their organisations especially when difficult choices are on the table. The clarity delivered by a maturity model audit makes it easier to prioritise and communicate what’s really vital for the organisation helping the DPO gain the trust and support needed to get the job done.
- Structure. Just as the GDPR is a legislative framework for data protection compliance, maturity model audits are based on a framework for data protection operational practice – aligned of course to the GDPR. A framework delivers structure, shape, order, a system. Auditing a legislative framework using a practical implementation framework just makes sense.
Fort Privacy offers Maturity Model Audits based on the Fort Privacy Maturity Model Framework. Our audit approach is unique in data protection practice delivering comfort and reassurance to the organisation by helping them set and achieve realistic goals for their compliance programs.
End note *Apologies to auditors everywhere for the bleak picture I paint, exaggerated somewhat to illustrate my point!