Preparing for a data protection audit 28 September 2017
Topics Covered How to prepare for a data protection audit What the DPC will expect: Article 30 requirements; policies, procedures and protocols Powers of DPC in the context of an audit Lessons learned – what to expect
Topics Covered How to prepare for a data protection Audit What the DPC will expect: Article 30 requirements; policies, procedures and protocols Powers of DPC in the context of an audit Lessons learned – what to expect
How to prepare for a data protection Audit Start NOW! Phase 1 - Gap analysis. Where do we stand currently; what do we need to do Phase 2 – Implement: recommendations in gap analysis Phase 3 – Roll out of policies etc; train staff and support the team
Preparation for audit under DPA and GDPR Carry out Data Mapping exercise What data do we collect and why? What is the legal basis for its collection and processing? How long do we keep it? Why? Who has access to it? Have appropriate notifications been made to data subjects? Where and to whom do we transfer data? Are the relevant transfer mechanisms in place? Do we have evidence of compliance with transfer mechanisms? eg privacy shield certification; signed SCCs/consent forms etc? Are adequate security measures in place?
Topics Covered How to prepare for a data protection Audit What the DPC will expect: Article 30 requirements; policies, procedures and protocols Powers of DPC in the context of an audit Lessons learned – what to expect
Main Data Protection Principles - DPA Fair Collection and Processing – “obtain and process data fairly” (S2(1)(a)) Obtained for one or more specified, explicit and lawful purposes (S2(1)(c)(i)) Use and disclose data only in ways compatible with those purposes (S2(1)(c)(ii)) Keep it safe and secure (S2(1)(d)) Keep data accurate, complete and up to date (S2(1)(b)) Ensure that the processing is adequate, relevant and not excessive (S2(1)(c)(iii)) Retain for no longer than is necessary for the purpose or purposes (S2(1)(c)(iv)) Give a copy of his/her personal data to an individual on request (S4)
Preparation for audit under DPA and GDPR Review the 8 principles and assess how your organisation measures against their requirements
GDPR Principles - 8 principles reframed: Art 5 lawfulness, fairness and transparency Purpose limitation Data minimisation Accuracy Storage or retention limitation Integrity and confidentiality accountability
Some GDPR Changes Documenting compliance Art 12 & Arts 15 -22 Data subject rights Arts 13 & 14 Notifications to Data Subjects Art 30 records of processing activity – flows into Privacy Policy and Data Retention policy Art 24 – implement appropriate technical and organisational measures to demonstrate compliance. Gap analysis Policies, procedures and protocols. Data Transfers – to EEA processors/3rd parties : agreement in writing Data Transfers ex-EEA entities: agreement in writing and Art 44-49 requirements Art 30 records of processing activity flows into Privacy Policy and Data Retention policy
Some GDPR Changes Data Protection by Design and by Default Art 35 DPIA process in place? Guidelines; templates; process? Integration of privacy by design into system and product development Training
Some GDPR Changes Do you have one? Should you have one? DPOs - Art 37-39 & Recital 97 Do you have one? Should you have one? Are their contact details published and notified to DPC? What is their role? Maintain record of role and responsibilities Has their appointment and contact information been shared ?
Topics Covered How to prepare for a data protection Audit What the DPC will expect: Article 30 requirements; policies, procedures and protocols Powers of DPC in the context of an audit Lessons learned – what to expect
Role of the Supervisory Authority Helen Dixon Regulatory Investigatory Quasi-Judicial Provision of Information Statutory functions GDPR: Art 57 tasks Art 58 powers
Statutory powers of the Supervisory Authority “The Commissioner may carry out…. Such investigation as she considers appropriate in order to ensure compliance with the provisions of this Act...and to identify any contravention thereof.”
Statutory powers of the Supervisory Authority Investigative powers – (S10 & 24 DPA) - scheduled audit or an ‘on the spot’ inspection Enter premises and inspect data therein Require any person on the premises to disclose data Inspect and take a copy or extract information from the data Require any person to give such information on the procedures used to comply with the DPA, the sources from which the data are obtained, the purposes for which they are kept, the persons to whom they are disclosed and the data equipment on premises. Obstruction of an authorised officer is an offence Formal investigation of a complaint - a formal legal notice (S12 DPA)
2009 DPC Guide to Audit Process (revised 2014) What is an audit? An independent evaluation of how resources or assets are managed in relation to a particular set of standards Compliance based Examination of an organisation’s procedures, policies, systems and records to assess whether it is generally in compliance with data protection legislation requirements Review of policies, procedures and practices
2009 DPC Guide to Audit Process (revised 2014) Audit format: Notice period – usually 2 weeks but may be less, particularly if organisation is under investigation May ask for documents in advance Dawn raids – no advance notice (S24 DPA)
2009 DPC Guide to Audit Process (revised 2014) Authorised officers (S24 DPA) Should show ID and authorisation – check them before granting access to servers/data
2009 DPC Guide to Audit Process (revised 2014) Principal purpose: “to ascertain whether the audited organisation is operating in accordance with the Data Protection Acts and the ePrivacy Regulations 2011.” And “to identify any risks or possible contraventions of applicable legislation” The audit will identify any gaps and weaknesses and review how effective an organisation is in its adherence to policies concerning the handling of personal data. An assessment will be made whether the organisation is operating in accordance with its own documented data protection or privacy related policies, sectoral codes of practice, guidelines and procedures. Remedial action, improvements and positive findings.
Art 58 GDPR – investigative powers of the Supervisory Authority Provision of information Data protection audits Reviews/withdrawals of certifications Access to premises or data processing equipment Breach notifications to data subjects A ban on processing Suspension of cross-border data flows.
Topics Covered How to prepare for a data protection Audit What the DPC will expect: Article 30 requirements; policies, procedures and protocols Powers of DPC in the context of an audit Lessons learned – what to expect
Identification of audit targets Audit target list Mix of public, private entities Mix of sectors Desktop audits
Identification of audit targets Complaints Organisations holding lots of data Multi-nationals with European HQs in Ireland Media reports Policy areas Research organisations Representatives of particular sectors & comparators Another audit leads to the organisation Regional balance
GDPR Audits Must be able to demonstrate compliance Emphasis on pro-active methodologies Evidence of a ‘culture of compliance’ Ongoing logging of data breaches Art 30 log of processing activity Policies, procedures and protocols must be GDPR ready Training log
Change in emphasis from DPC? Administrative fining powers More prescriptive approach? Art 60 Co-operation and consistency procedures
Frontier Privacy Gap analysis Data Mapping Drafting Policies, procedures, protocols, contracts Training Outsourced DPO/DPO-assistance programme
Frontier Privacy Kate Colleary Co-founder /Director kcolleary@frontierprivacy.com 4 Upper Pembroke Street Dublin 2, Ireland Tel: +353 1 9058695 Mob: +353 86 2420455 www.frontierprivacy.com