Data Protection and Audit www.collearyandco.com
Topics Covered How to Implement the EU General Data Protection Regulation How to prepare for a data protection Audit What the DPC will expect: Article 30 requirements; policies, procedures and protocols Powers of DPC in the context of an audit Lessons learned – what to expect How www.collearyandco.com
How to Prepare for a Data Protection Audit Start NOW! Phase 1 - Gap analysis. Where do we stand currently; what do we need to do Phase 2 – Implement: recommendations in gap analysis Phase 3 – Roll out of policies etc; train staff and support the team www.collearyandco.com
Preparation for Audit under the GDPR Carry out Data Mapping exercise What data do we collect and why? What is the legal basis for its collection and processing? How long do we keep it? Why? Who has access to it? Have appropriate notifications been made to data subjects? Where and to whom do we transfer data? Are the relevant transfer mechanisms in place? Do we have evidence of compliance with transfer mechanisms? eg privacy shield certification; signed SCCs/consent forms etc? Are adequate security measures in place? www.collearyandco.com
Topics Covered How To Implement The New EU General Data Protection Regulations How to prepare for a data protection Audit What the DPC will expect: Article 30 requirements; policies, procedures and protocols Powers of DPC in the context of an audit Lessons learned – what to expect www.collearyandco.com
Preparation for Audit under the GDPR Review the SIX data protection principles and assess how your organisation measures up against their requirements. www.collearyandco.com
Main Data Protection Principles Fair, lawful and transparent Purpose Limitation Data Minimisation Accuracy Store and Retention Limitation Security and confidentiality Overarching principle of Accountability individual on request (S4) www.collearyandco.com
Some GDPR Changes Documenting compliance Art 12 & Arts 15 -22 Data subject rights Arts 13 & 14 Notifications to Data Subjects Art 30 records of processing activity – flows into Privacy Policy and Data Retention policy Art 24 – implement appropriate technical and organisational measures to demonstrate compliance. Gap analysis Policies, procedures and protocols. Data Transfers – to EEA processors/3rd parties : agreement in writing Data Transfers ex-EEA entities: agreement in writing and Art 44-49 requirements www.collearyandco.com
Some GDPR Changes Data Protection by Design and by Default Art 35 DPIA process in place? Guidelines; templates; process? Integration of privacy by design into system and product development Training www.collearyandco.com
Some GDPR Changes DPOs - Art 37-39 & Recital 97 Do you have one? Should you have one? Are their contact details published and notified to DPC? What is their role? Maintain record of role and responsibilities Has their appointment and contact information been shared ? www.collearyandco.com
Topics Covered How To Implement The New EU General Data Protection Regulations How to prepare for a data protection Audit What the DPC will expect: Article 30 requirements; policies, procedures and protocols Powers of DPC in the context of an audit Lessons learned – what to expect www.collearyandco.com
Role of the Supervisory Authority Regulatory Investigatory Quasi-Judicial Provision of Information Statutory functions GDPR: Art 57 tasks Art 58 powers Helen Dixon www.collearyandco.com
Statutory Powers of the Supervisory Authority “The Commissioner may carry out…. Such investigation as she considers appropriate in order to ensure compliance with the provisions of this Act...and to identify any contravention thereof.” www.collearyandco.com
Statutory Powers of the Supervisory Authority Investigative powers - scheduled audit or an ‘on the spot’ inspection Enter premises and inspect data therein Require any person on the premises to disclose data Inspect and take a copy or extract information from the data Require any person to give such information on the procedures used to comply with the DPA, the sources from which the data are obtained, the purposes for which they are kept, the persons to whom they are disclosed and the data equipment on premises. Obstruction of an authorised officer is an offence Formal investigation of a complaint - a formal legal notice www.collearyandco.com
2009 DPC Guide to Audit Process (revised 2014) Authorised officers Should show ID and authorisation – check them before granting access to servers/data www.collearyandco.com
2009 DPC Guide to Audit Process (revised 2014) What is an audit? An independent evaluation of how resources or assets are managed in relation to a particular set of standards Compliance based Examination of an organisation’s procedures, policies, systems and records to assess whether it is generally in compliance with data protection legislation requirements Review of policies, procedures and practices www.collearyandco.com
2009 DPC Guide to Audit Process (revised 2014) Principal purpose: “to ascertain whether the audited organisation is operating in accordance with the Data Protection Acts and the ePrivacy Regulations 2011.” “to identify any risks or possible contraventions of applicable legislation” Remedial action, improvements and positive findings. www.collearyandco.com
2009 DPC Guide to Audit Process (revised 2014) Audit format: Notice period – usually 2 weeks but may be less, particularly if organisation is under investigation May ask for documents in advance Dawn raids – no advance notice www.collearyandco.com
Investigative Powers of the Supervisory Authority Provision of information Data protection audits Reviews/withdrawals of certifications Access to premises or data processing equipment Breach notifications to data subjects A ban on processing Suspension of cross-border data flows. www.collearyandco.com
Topics Covered How To Implement The New EU General Data Protection Regulations How to prepare for a data protection Audit What the DPC will expect: Article 30 requirements; policies, procedures and protocols Powers of DPC in the context of an audit What to expect from the DPC www.collearyandco.com
Identification of Audit Targets Audit target list Mix of public, private entities Mix of sectors Desktop audits www.collearyandco.com
Identification of Audit Targets Complaints Organisations holding lots of data Multi-nationals with European HQs in Ireland Media reports Another audit leads to the organisation Regional balance www.collearyandco.com
GDPR Audits Must be able to demonstrate compliance Emphasis on pro-active methodologies Evidence of a ‘culture of compliance’ Ongoing logging of data breaches Art 30 log of processing activity Policies, procedures and protocols must be GDPR ready Training log www.collearyandco.com
Change in Emphasis from DPC? Administrative fining powers More prescriptive approach? Art 60 Co-operation and consistency procedures www.collearyandco.com
Priorities Irish Regulator https://www.youtube.com/watch?v=HFDMM69VivQ&feature=youtu.be Priorities www.collearyandco.com
Irish Regulator Reactive and proactive enforcement priorities Reactive priorities Complaints - GDPR requirement that SA handles every complaint lodged with it (Art 57). Art 56 Local complaints. NB data subject rights (50% of complaints); organisations must be responsive to complaints or attract higher fines and lead SA’s to your door. Breach Notifications – Art 33: unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Visibility re abuses and failure to protect personal data that heretofore SA was unaware of as no notification required. Whistleblowing and media - SA will be responsive to risks and trends it identifies in handling every complaint lodged. Can identify sectors and types of issues. www.collearyandco.com
Irish Regulator Proactive priorities Transparency Audits www.collearyandco.com
Transparency “Key to empower data subjects” and exercise of rights by data subjects flow from the knowledge available via transparency Legal basis- consent – “well informed”? Privacy notices far too opaque – Art 13/14 Article 29 Working Party paper on Transparency - 13.12.2017 Provision of information related to fair processing to individuals Communicating with individuals in relation to their rights under GDPR Facilitating the exercise by individuals of their rights Modalities Layered; just in time; dashboards; physical/web based notices www.collearyandco.com
Audits www.collearyandco.com
CURRENT Audit ACTIVITY Local Authorities - DPC Audit of Surveillance Activities Privacy Accountability Information Sweep (Global Privacy Enforcement Network) www.collearyandco.com
Thank you www.collearyandco.com Sara Bloomer 4 Upper Pembroke Street Dublin 2 Phone: +353 1 9058695 sarabloomer@collearyandco.com