Data Protection Audits
Whether the role of DPO is performed in – house, or by way of service contract, it represents best practice to have independent professional Data Protection Audits performed at the appropriate intervals for your particular business or organisation. There is anecdotal evidence of a panic ridden environment prior to GDPR, hastening the appointments of DPOs in some organisations. Some do not have the requisite training or qualifications to perform the role, or carry out the functions to the standard of compliance that GDPR demands. Many training courses were aggressively marketed by some dubious training organisations and offered little substantive preparation for such a responsible role in any governance structure.
Here at GDPRXpert we will conduct a comprehensive audit to assess and verify the true level of compliance with GDPR. GDPR places strong emphasis on the independence of the office of DPO. Therefore, it seems prudent to employ an outside source, in co-operation with the DPO, to audit policies and procedures of the controller or processor, and procedures that are internally monitored by the DPO under Art.39. As with audits in other fields, the purpose is to assess, appraise, evaluate and review policies and procedures, in order to capture a true and fair picture of compliance at a specific point in time. It is paramount to have a thorough understanding of your obligations, be aware of your current processes and identify any potential gaps.
The internal DPO is not personally responsible in the case of non compliance with the GDPR. It is the controller or the processor who is required to ensure, and be able to demonstrate, that processing is performed in accordance with its provisions. Nevertheless, criticism of the DPO by the controller or processor may be viewed as breaching the independence of the office, and so all the more reason to use the services of GDPRXpert to independently conduct an audit. It is an extra control mechanism to protect the controller and processor from the imposition of fines.
Our Data Protection Audits will be a systematic and independent examination to determine whether operations involving the processing of personal data are carried out in accordance with the organisation’s data protection policies and procedures, and whether this processing meets the requirements of the GDPR.
Areas of scrutiny during audit include:
• Lawful Grounds for Processing
• Adherence to Data Protection Principles
• Transparency Requirements*
• Data Subject Rights (Respected and Facilitated?)
• Subject Access Request Policies/ Procedures
• Personal Data Breach & Notification Procedures
• Access Control Policy
• Data Security*
• Data Retention Policy* and Criteria
• Special Categories of Data ( where applicable)
• Children’s Data (where applicable)
• Trans Border Data Transfers (where applicable)
• Record Keeping Under Art.30
Who is the data controller? No audit is complete without an in depth appraisal of how the responsibilities of the data controller under Art. 24 are being carried out in practice.
Art. 25 ( data protection by design and default) will also receive considerable attention ,especially as it is so closely related to Data Protection Impact Assessments under Arts. 35 and 36, and Art. 32 (security of processing).
Responsibilities of the data processor under Art. 28 in most cases become an integral part of the audit, being so closely linked to the responsibilities of the data controller. The controller/processor relationship sometimes becomes complex and muddled, especially in the context of the 3rd party service provider to many businesses. One that springs to mind most is the cloud services provider.
Issues around’Internet of things’ devices, emerging technologies, evolving smart devices and Bring Your Own Device (BYOD) often surface during audits and can have severe data security issues. CCTV both inside and outside some premises will in some cases demand some extra attention.
(Note: those marked * above also fall under Data Protection Principles, but for audit purposes warrant separate, individual attention.)