Frustrated man

Responding to an audit

Top 3 data protection program issues and how to start resolving them: #23

Our last post was about preparing for an audit.

You'll receive a report once you finish the audit or inspection.

If the report is positive, you’ll have little to do - apart from reflecting on your good work and the investment your company makes in data protection.

A damning report can hit you like a ton of bricks, confirming your worst fears about not being in control.

Your response to a critical report is crucial - here are 3 common issues.

#1 Taking it personally

You may be responsible for data protection in your company, but you depend on the actions of others.

You need to identify the colleagues you need to assemble and delegate responsibility.

This includes reviewing the findings, categorising them, root cause analysis, prioritisation, and planning.

If you’re sitting with the report alone, or just within your team and taking things personally, you are already beating yourself up unnecessarily.

Data protection is a team sport, and you need to assemble the team in a structured, facilitated workshop.

#2 Hap hazard approach

The approach you use to respond to an audit will reflect upon how you demonstrate Accountability.

You need to use a structured approach to review the findings, sort them, categorise them, identify root causes, identify actions, prioritisation, as well as estimation and planning.

All this work will generate evidence - a key element of Accountability.

I wrote an article outlining a structured approach I’ve used for years here.

I recommend you read it if you have an audit report sitting in front of you.

#3 Empty words

Often you’ll find actions defined and written as responses to the audit, but never executed.

Defining actions required planning, estimating, seeking funding and finally getting budget approval.

There are no blank cheques, and nobody is sitting around waiting for you to give them work.

You may need to tap into operational mechanisms, such as a business case process or portfolio management.

Once underway, you’ll need to closely monitor that all actions are carried out, especially where you rely on others across your organisation.

The auditors will eventually do this so it pays to be ahead of them and ensure there are no awkward questions later on about broken promises.

Purpose and Means help Data Protection Leaders refresh their work focusing on business alignment and orchestration.

We’re based in Denmark, but operate globally.

If this issue resonates, book a call to discuss your requirements!

Petruta Pirvan
Tim Clements
March 30, 2023


Other posts

June 2, 2023
Disseminating policies
Tim Clements
May 27, 2023
Ineffective controls
Tim Clements
May 26, 2023
DPIA on a page
Tim Clements
May 25, 2023
GDPR on a page
Tim Clements
May 22, 2023
GDPR 5 years old - is it really?
Tim Clements
May 9, 2023
Employee engagement
Tim Clements
May 2, 2023
Managing risk
Tim Clements
April 13, 2023
Copy/paste consultancies
Tim Clements
April 6, 2023
Controller/Processor life-cycle
Tim Clements
March 30, 2023
Responding to an audit
Tim Clements
March 23, 2023
Data protection templates
Tim Clements
March 11, 2023
Data protection program control
Tim Clements
March 6, 2023
Reporting data protection status
Tim Clements
March 2, 2023
The lone data protection army
Tim Clements