GDPR Audits for SMEs Are All About the Language

GDPR Audits for SMEs Are All About the Language
Author: Steven Connors, CISM, FIPA, FFA, MBA, Director HW Controls & Assurance
Date Published: 11 March 2019

It is often said that a good auditor is a good communicator, and this is particularly true when dealing with smaller organizations.

Small and medium-sized enterprises (SMEs) tend not to have the capacity to employ specialists in every role, instead relying upon generalists who fulfil many roles in the organization.

Unless the SME’s business is data processing or falls into one of the other categories that require a data protection officer (DPO), then the chances are that as auditors we will be speaking to the finance head or IT manager or HR manager about data protection.

ISACA’s new GDPR Audit Program for Small and Medium Enterprises is written not with the professional IT auditor in mind, but the auditee. Consequently, its language is simplified from that of the enterprise version.

One of the biggest issues I have found when dealing with SMEs is ensuring my conversations and questions are designed to fit the audience and are jargon-free. Only by adjusting the narrative to fit the audience can we hope to deliver an audit product that adds value. This is particularly important with GDPR in the SME space. Indeed, many SMEs still have not fully embraced the central theme of the GDPR – it’s all about the data subject, not the organization.

When auditing SMEs, it’s as much about education as compliance. GDPR is about how following some basic rules about good data governance, such as ensuring data quality, can add value, not just cost, to an SME. As auditors, we can help owners and managers to embrace this concept that we are adding value above and beyond what is derived from a compliance report.

It is also important to be aware that many SMEs will not have received the best advice leading up to GDPR. Many will have scoured the internet, talked with fellow business owners or at best attended a seminar or two – or, worse, been drawn into spending money on software solutions that are generic and not a good fit for their businesses.

In the hands of an experienced auditor, the audit program should be used as much to help devise a remediation plan as to arrive at an audit opinion. After all, the audit is designed to validate controls implemented to manage risk and to agree to a risk treatment plan.

A survey by Q2Q in November 2018 found that 41 percent of SMEs are still unsure about the rules and regulations surrounding GDPR. This, combined with 22 percent saying that emerging online risks are their biggest headache, present an opportunity for the auditor to use the program to offer genuine guidance to their SME clients.

One of the major issues that organizations and their auditors had with the previous Data Protection Act was that it was primarily viewed as an IT problem to be solved with technology. Complying with GDPR is about managing information risk and needs to consider a trio of risks: people, processes and technology. These risks must be considered across all facets of an organization.