Home > News and Insights > GDPR: why audits aren’t enough

GDPR: why audits aren’t enough

Back to all
GDPR: why audits aren’t enough

In the lead up to the 25th May 2018, businesses of various sizes were faced with the immense challenge of ensuring that they would reach compliance with the GDPR.

And therein lies our first question…

What does GDPR compliance look like?


The first thing we should establish is that whilst GDPR introduced some new elements to the Data Protection Act, it was nothing organisations hadn’t already been charged with putting in place, before. During my conversations with members of the FE sector, I saw a commonality with other sectors – people were not even doing the basics.

In my opinion, we should not burden ourselves in trying to make sense of the GDPR minefield before we have even identified and remediated some of the bad (and risky) data practices that is evident across all sectors.

Which brings us neatly along to the following two questions…

How do we identify bad (and risky) practices and why aren’t traditional audits enough?


Many sectors rely on the assistance and support of external auditors, ensuring compliance with a variety of regulations and legislation. The FE sector is no different.

I’ve come across several proposed “GDPR” audits that governors had instructed generalist auditing companies to perform. On closer inspection of the audit criteria, I was not surprised to see a very general and vague approach to GDPR compliance, with little to no mention of the cyber risks that are now inherent in all organisations processing personal data. In one college, the recently appointed Data Protection Officer was not even on the auditing committee.

Data and cyber practices observed within the sector, so far, reveal an urgent need for colleges to begin investing in GDPR compliance and cyber security. Audits by generalist companies will not furnish colleges with the information, action points and long-term guidance and support that is needed. If GDPR is the minefield, then the cyber threat landscape is a perpetually evolving battlefield that will continue to be a cause of great concern for all organisations, particularly within the FE sector.

Ladies and gentlemen of FE, I don’t need to tell you how the FE has and continues to suffer with area reviews, restructuring, forced mergers and the cuts in the budget. The GDPR and cyber threat landscape is the next challenge.

And now for the good news.

Both myself and other specialists, within the data protection and cyber security fields, have been working tirelessly, alongside the AoC, in helping colleges identify data protection non-compliance & cyber risks, with the list of provisions continuing to grow. I strongly urge all colleges to adopt a strong and robust GDPR and cyber security posture, as early as possible or get in touch with our training team to discuss any upcoming workshops that can support you.

Share this page