Free UK GDPR compliance audit quick check 🇬🇧
Average score: 5.7
Get instant feedback on your UK GDPR compliance with our free GDPR audit tool.
The questions focus on some of the most common mistakes we see and on areas that regulators have been targeting recently with enforcement action and updated guidance.
This tool will help you make a basic assessment of your current compliance level. By completing this quick audit you will be able to identify some areas where you may need to change your current policies and procedures. Please be aware that this will only provide a surface level awareness of your current compliance issues. A full audit requires a more thorough assessment. You can contact our team directly to request a full audit.
Section 1 of 5
10 question quick check
Answer the questions below. Choose the best fit answer for your organisation.
Section 2 of 5
Understanding your results
Score 10: Well done. You have a good level of compliance and/or are privacy conscious.
Score 7-9: Good work. But there are probably some areas where more work is required. Make sure you address any issues raised. Read the explanations in Step 3 to help determine what action you need to take.
Score 0-6: Don’t panic. We’ve seen this many times, companies focused on growth can end up forgetting about those pesky data laws. Be aware that right now you are at risk of legal action which may result in an investigation and/or a financial penalty. But this is easily fixed, and you probably won’t need any lawyers unless your data use is complex. Read below to learn more about each issue. You can also join our email list which will keep you up to date when the law changes.
Section 3 of 5
Some points to review
Registration with supervisory authority
Supervisory authorities enforce GDPR and other data privacy laws such as PECR/E-Privacy Regulations. They are present in every EU Member state. The ICO is the UK’s supervisory authority. You can check who your supervisory authority is in your country, using our directory.
In the UK every organisation or sole trader must register with the ICO if they process personal data.
There are few exemptions that cover:
- Some charities and pension schemes.
- Some public bodies and members of parliament.
- Some organisations who limit their processing of personal data to a limited list of means, including staff administration, advertising, marketing & PR and account/record keeping.
This may apply to you so we advise you to check with the ICO’s eligibility checking tool which features the full list of exemptions.
If you do not register when required to, you may be subject to:
- A financial penalty.
- A less lenient approach from the regulators if you receive a complaint from a member of the public or suffer from a data protection breach.
Data attribution – Legal basis for processing
Customers have the right to request details from you about how and why you process their data under the right to be informed (GDPR). This may include the legal basis for processing. You must be able to evidence the legal basis for processing on request to a data subject (customer, prospect, employee) or to a supervisory authority. If you hold inaccurate or poorly maintained data you may be unable to fully answer such a request. You therefore could be subject to a formal complaint, an investigation and/or a fine. You must keep accurate, detailed records, especially when you are relying on consent to process customer’s data. Otherwise, you need to say goodbye to that data. It’s not worth the risk.
DPIA
DPIA’s should be completed when adding new processes or tools which pose a risk to the privacy of your data subjects. In some cases DPIAs are legally required under GDPR. If you have chosen not to perform a DPIA you should also document this decision.
International transfers
You must have a legal mechanism in place to send personal data outside of the UK. For the EU and some other countries, adequacy decisions exist which make this process straightforward. However many other countries are not covered by this mechanism, such as the United States.
Many online services store data on US based servers. This data transfer must be protected and risk assessed by you if it involves the transfer of personal data.
You will also need to complete documentation to record your transfers and set appropriate review periods in order to fulfil your accountability requirements under GDPR.
Privacy policy updates
Privacy policies require regular maintenance. Every time you add a new tool or channel to your marketing stack you should review if any changes to your privacy policy are required. Additionally, any time your reasons for processing data or the types of data you process change you should update your privacy policy. This applies even if you are relying on a legal basis other than consent, for example legitimate interests. Your data subjects have a legal right to access information about how, when and why you process their data under the right to be informed.
Training
While the legal text of UK GDPR has only changed slightly since it came into force, when the UK GDPR was updated to reflect Brexit. The way it’s applied has changed many times. New guidance from the courts and regulators can quickly change how GDPR and other data laws are applied. For example, the recent EU-Schrems II case made data transfers between the UK/EU and US invalid overnight. Because things change so often training should be completed frequently. This will help you keep up minimise your risks of non compliance by human error and help you meet your requirements under the accountability principle of UK GDPR.
Section 4 of 5
The problem with poor compliance
Fines
Non-compliance with data privacy laws like GDPR can be costly. Under Art. 83(5) of GDPR, a fine can be issued of up to 20 million euros or up to 4% of total global turnover whichever is higher.
Investigations
There’s no greater buzzkill than a regulatory authority like the ICO turning up to your door to audit your processes, or in response to complaints.
Ethical challenges
Respecting the right of your customers and employees to privacy is the right thing to do. We can learn how to use data responsibly whilst still getting results.
Criminal liability
It’s not just the company as a legal entity that can get into trouble. Individuals within the company can find themselves personally liable to be prosecuted for negligence under the Data Protection Act whether they committed the offence themselves, or they were negligent in a supervisory role.
Reputation damage
It’s hard for customers and prospective employees to trust your brand when the first thing they find about you in Google is news about your latest data breach. And if you end up moving on to a new role, you’ll need to be prepared for some awkward interview questions.
Losing out on investment
Investors can include data privacy law compliance as part of their due-dil, or as a bargaining chip. After all, how much is your business really worth if the customers on your database aren’t even legally contactable?
Failing supplier due-dil
Established brands include data privacy law compliance as part of their procurement due-dil. If you can’t complete the paperwork, they can’t be your customer.
Data deletion orders
If you are caught for non-compliance you may be ordered to delete data which was not properly acquired or processed. Similarly, applying data protection law retrospectively may oblige you to delete valuable data such as customer databases.
Section 5 of 5
Fixing your compliance issues
DIY
Take control of your own data privacy programme by training your team online. Implement what you learn straight away and use our templates to help keep you on the right track.
Outsource
Keep the focus on your growth, we’ll sort the data compliance. Work directly with our data privacy experts. Get proactive support and expert guidance at a considerable discount to hiring in-house talent or lawyers by the hour.
Get email updates from us about data privacy law
We’ll keep you up-to-date with some of the things you need to know to stay on the right side of the law. You’ll also get invites to contribute to our campaigns and events.
