Conducting a self-audit of data protection
complianceFintan Swanton,
Association of Data Protection Officers,April 15 2014.
Process based on ODPC’s audit template Principally interview-based Usually department by department Deliverable – assessment of compliance
with DP legislation and organisation’s own policies and procedures
Identifying weaknesses and remedial actions
Also highlighting and commending existing good practices
Overview
Top-level Data Protection Policy
Data protection incident handling procedure & log
Data subject access request handling procedure & log
Standard data protection risk assessment procedure.
Training policy & logs
Policies? What policies?
Retention and destruction policy, including retention periods.
Procedures and standards for securing and encrypting Personal Data, in particular on networks.
Registration details with ODPC, if applicable.
Evidence of procedures being followed?
Policies? What policies?
Kinds of personal data? Any sensitive data? Approximate volumes? What staff training is provided? Has your organisation experienced
difficulties in relation to Data Protection? Contracts with 3rd party data processors (or
data controller clients)?
General questions
Defined data needs prior to acquisition? How is personal data collected? How are subjects given fair obtaining notice? Who supplies the data? With whom is data shared? CCTV? If so, in-house or outsourced? Policies for obtaining Sensitive Personal
Data?
1: Fair obtaining
Why is this data collected?To whom is the data disclosed?
For what purpose or purposes?When & how are data subjects informed of these purpose(s)?
2: Specified purpose(s)
Basis for disclosing personal data to others?
Are the purposes for which data were originally acquired clearly recorded?
Is personal data ever gathered for undefined future use?
3: ... not incompatible
How & where is data stored? How is access to the on-site/ off-site manual
data controlled? IT system access controls / security
procedures? Premises access controls? Password policies? Business Continuity Plan? Data processor selection, contracts & auditing? Overseas transfers (outside of EEA)? If so, adequacy of security at destination?
4: Safe & secure
How often is data reviewed, updated, or corrected?
How often is data integrity & quality evaluated?
Do you use the data for marketing, business purposes?
Compliance with date requirements of 2011 ePrivacy regulations recorded?
5: Accurate
Is there a clear purpose for each item of personal data gathered?
Is there a clear purpose for each item of data disclosed?
Is or will all the data required to fulfil the purposes be available?
6: Adequate, relevant, not excessive
Are expectations set with data subjects regarding data retention?
Do you have a formal retention/destruction policy? Does it include end-of-life hardware, storage
media? Does your policy differentiate between categories
of personal data? What Data destruction methods are used? Are 3rd party processors involved in your data
retention/storage processes? Do you obtain verification of data destruction ?
7: Retention
Formal Subject Access Request (SAR) response procedure / log?
Policy of charging €6.35 in order to process an SAR?
Who is authorised to make disclosures of Personal Data?
What is your time-line for data retrieval? Are there grounds for exemption?
8: Subject access rights
Registration & notification Formally registered with ODPC? Who’s responsible for registration? How often are registrable particulars
reviewed? Policy for notifying the Commissioner in the
event of breach? Policy for notifying the data subject in the
event of breach? Log for breaches?
Securing workstations? Securing manual data:
◦ Clean desks?◦ Copiers & printers?◦ Documents for shredding?
Securing portable equipment & storage media?
Premises access control, security?
Walkaround
www.dataprotection.ie◦ “Data Protection Audit Resource”
www.ico.gov.uk◦ “Data Protection Audit Manual”
Resources
Fintan Swanton
Swanton Information Systems Ltd
01 685 4474 / 086 827 1273
Questions?