Data Protection Audits
Whether the role of DPO is performed in – house, or by way of service contract, it represents best practice to have independent professional Data Protection Audits performed at the appropriate intervals for your particular business or organisation. There is anecdotal evidence of a panic ridden environment prior to GDPR, hastening the appointments of DPOs in some organisations. Some do not have the requisite training or qualifications to perform the role, or carry out the functions to the standard of compliance that GDPR demands. Many training courses were aggressively marketed by some dubious training organisations and offered little substantive preparation for such a responsible role in any governance structure.
Here at GDPRXpert we will conduct a comprehensive audit to assess and verify the true level of compliance with GDPR. GDPR places strong emphasis on the independence of the office of DPO. Therefore, it seems prudent to employ an outside source, in co-operation with the DPO, to audit policies and procedures of the controller or processor, and procedures that are internally monitored by the DPO under Art.39. As with audits in other fields, the purpose is to assess, appraise, evaluate and review policies and procedures, in order to capture a true and fair picture of compliance at a specific point in time. It is paramount to have a thorough understanding of your obligations, be aware of your current processes and identify any potential gaps.
The internal DPO is not personally responsible in the case of non compliance with the GDPR. It is the controller or the processor who is required to ensure, and be able to demonstrate, that processing is performed in accordance with its provisions. Nevertheless, criticism of the DPO by the controller or processor may be viewed as breaching the independence of the office, and so all the more reason to use the services of GDPRXpert to independently conduct an audit. It is an extra control mechanism to protect the controller and processor from the imposition of fines.
Our Data Protection Audits will be a systematic and independent examination to determine whether operations involving the processing of personal data are carried out in accordance with the organisation’s data protection policies and procedures, and whether this processing meets the requirements of the GD
Areas of scrutiny during audit include:
• Lawful Grounds for Processing
• Adherence to Data Protection Principles
• Transparency Requirements*
• Data Subject Rights (Respected and Facilitated?)
• Subject Access Request Procedures
• Personal Data Breach & Notification Procedures
• Access Control Policy
• Data Security*
• Data Retention Policy* and Criteria
• Special Categories of Data ( where applicable)
• Children’s Data (where applicable)
• Trans Border Data Transfers (where applicable)
• Record Keeping Under Art.30
Special emphasis on Art. 24 ( Responsibilities of the controller) and Art. 25 ( Data protection by design and default) , especially in relation to Arts .32, 35 and 36.
Note those marked * above also fall under Data Protection Principles, but for audit purposes warrant separate, individual attention.