An Introduction to Data Protection Auditing Stewart Dresner, Chief Executive Privacy Laws & Business 5th Floor, Raebarn House, 100, Northolt Road, Harrow,

Slides:



Advertisements
Similar presentations
STRATEGIC PLANNING FOR Post-Clearance Audit (PCA)
Advertisements

Internal Audit Documentation and Working Papers
Auditing Computer Systems
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
Dr. Julian Lo Consulting Director ITIL v3 Expert
ISO General Awareness Training
IS Audit Function Knowledge
OAG Office of the Auditor-General Promoting Accountability in the Public Sector Using Audit to Oversee Public Procurement Edward Ouko Auditor-General Kenya.
Tipologie di Audit e loro caratteristiche Riunione sottogruppo GCP-GIQAR 21 Marzo 2006 Francesca Bucchi.
Purpose of the Standards
Software Process Reviews/Audits
Audit Programme. Audit Assertions  As part of the planning stage, auditors need to prepare audit tests to test the account areas.  To assist the auditors.
TC176/IAF ISO 9001:2000 Auditing Practices Group.
Auditing Standards IFTA\IRP Audit Guidance Government Auditing Standards (GAO) Generally Accepted Auditing Standards (GAAS) International Standards on.
RJC Certification - (COP 9) Bribery and Facilitation Payments Training Module – March 2014.
Conducting the IT Audit
Fundamentals of ISO.
Internal Auditing and Outsourcing
Carmichael Centre for Voluntary Groups Implementing the Guiding Principles for Fundraising Sheila Nordon Executive Director 9 th November 2010.
1 AUDIT PROCESS Quality  Degree to which a set of inherent characteristics fulfils a need or expectation that is stated, generally.
G17: Recordkeeping for Business Activities Carried out by Contractors Patrick Power, Manager Government Recordkeeping Programme Archives New Zealand.
Audit of Public Procurement
Designing Smart Cities Conference University of Strathclyde, Glasgow 31 st March 2015 “Regulating Smart Cities: Policing & Privacy” Paul Mackie Chief Executive.
WHO COURSE FOR THE CARs MONITORING AND AUDITING OF FOOD LAW COMPLIANCE AND ENFORCEMENT.
Slide 1 D2.TCS.CL5.04. Subject Elements This unit comprises five Elements: 1.Define the need for tourism product research 2.Develop the research to be.
1 Records Inventory & Data Classification Workshop Data Classification Project Note: This is an example of one agency’s approach to meeting the state records.
CO2403 and CO3808 – Quality Management Systems Quality process definition, administration and accreditation.
INFORMATION ASSURANCE USING C OBI T MEYCOR C OBI T CSA & MEYCOR C OBI T AG TOOLS.
Lecture #9 Project Quality Management Quality Processes- Quality Assurance and Quality Control Ghazala Amin.
Public rights of access to information Grisilda Ponniah, Corporate Information Governance Manager Mary Elliott, FOI Officer Legal & Democratic Services.
INTRODUCTION TO AUDITING
Appendix E – Checklist for Review of Performance Audits Presented by: Ashton Coleman Department of Defense Office of the Inspector General August 16, 2012.
Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.
Data Protection Act AS Module Heathcote Ch. 12.
Evaluation Plan New Jobs “How to Get New Jobs? Innovative Guidance and Counselling 2 nd Meeting Liverpool | 3 – 4 February L Research Institute Roula.
Programme Objectives Analyze the main components of a competency-based qualification system (e.g., Singapore Workforce Skills) Analyze the process and.
1 Internal Audit. 2 Definition Is an independent activity established by management to examine and evaluate the organization’s risk management processes.
Purpose of audit is to provide assurance that: Procedures for attaining quality are such that, if followed, the intended quality will be obtained.
Conducting Clinical Risk Assessments And Implementing Compliance Practices Jane L. Stratton Chiron Corporation VP/Associate General Counsel Chief Compliance.
 Objectives  To determine the importance and functions of working papers in IAing in Malta  To analyse the manner of recording throughout the internal.
 Definition of a quality Audit  Types of audit  Qualifications of quality auditors  The audit process.
Compliance Audit Subcommittee Reporting Work Plan Copenhagen, Denmark 6th of May 2010.
INTRODUCTION TO DATA PROTECTION An overview of the Irish Data Protection legislation.
AN INTRODUCTION TO COMPLIANCE AUDITING Ram Mohan Johri Principal Accountant General Himachal Pradesh.
Pertemuan 14 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
TC176/IAF ISO 9001:2000 Auditing Practices Group.
Inter-American Development Bank BIMILACI 2007 QUALITY PROCUREMENT Third Party Review May 2007 Project Procurement Division.
ICAJ/PAB - Improving Compliance with International Standards on Auditing Planning an audit of financial statements 19 July 2014.
Audit Management from a Monitoring perspective 20 September 2014.
MODULE 7: CONDUCT OF GOVERNANCE AUDIT GOVERNANCE AUDITOR ACCREDITATION COURSE.
Visit us at E mail: Tele:
COBIT. The Control Objectives for Information and related Technology (COBIT) A set of best practices (framework) for information technology (IT) management.
ACCA/PAB/ICAJ/ICAC Practice Monitoring Reviews OVERVIEW OF FINDINGS 19 July 2014.
1 Auditing Your Fusion Center Privacy Policy. 22 Recommendations to the program resulting in improvements Updates to privacy documentation Informal discussions.
Introduction to Compliance Auditing
MODULE 6: PLANNING FOR GOVERNANCE AUDIT GOVERNANCE AUDITOR ACCREDITATION COURSE.
Jean-Pierre Garitte Budapest 29 March 2017
Internal Control Principles
Michael Romeu-Lugo MBA, CISA March 27, 2017
Audit of predetermined objectives
Outsourcing Policy & Procedures
Preparing for a data protection audit 28 September 2017
Auditor Training Module 1 – Audit Concepts and Definitions
MODULE 2 INTRODUCTION TO GOVERNANCE AUDIT
Managing Privacy in a Global Organization
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
Survey-Document Examination-Observation-Benchmarking
How to conduct Effective Stage-1 Audit
Taking the STANDARDS Seriously
Audit Principles Kevin Alder Agenda 8.2 ET-WISC-DC2019
Presentation transcript:

An Introduction to Data Protection Auditing Stewart Dresner, Chief Executive Privacy Laws & Business 5th Floor, Raebarn House, 100, Northolt Road, Harrow, Middlesex, HA2 0BX ISACA, London, 22nd May, 2003

Privacy Laws & Business2 Data Protection Audit Aims (1) The aims of Data Protection Audits address the wider aspects of data protection including: –Mechanisms for ensuring that information is obtained and processed fairly, lawfully and on a proper basis –Quality Assurance - ensuring that information is accurate, complete and up-to-date, adequate, relevant and not excessive

Privacy Laws & Business3 Data Protection Audit Aims (2) –Retention - appropriate weeding and deletion of information –Documentation on authorised use of systems, e.g. codes of practice, guidelines etc. –Compliance with individual’s rights, such as subject access –Compliance with the data protection legislation in the context of other pieces of legislation such as the Human Rights Act, FOI Act etc.

Privacy Laws & Business4 Why Should We Audit? The key reasons for carrying out audit activities are: To assess the level of compliance with the Data Protection Act 1998 To assess the level of compliance with the organisation’s own data protection system To identify potential gaps and weaknesses in the data protection system To provide information for data protection system review

Privacy Laws & Business5 Audit Objectives When carrying out a Data Protection Audit in any area of an organisation the Auditor has three clear objectives: To verify that there is a formal data protection system in place in the area: the system should be documented the system should be up-to-date To verify that all the staff in the area involved in data protection: Are aware of the existence of the data protection system Understand the data protection system Use the data protection system To verify that the data protection system in the area actually works and is effective

Privacy Laws & Business6 The Audit Methodology –Methodology based on well-proven models from other sectors –Aimed at both professional auditors and non- specialists –Can be used by external auditors, internal auditors or Data Protection Managers –Two part Audit methodology consisting of: Adequacy Audit Compliance Audit

Privacy Laws & Business7 The Audit Method Audit Categories

Privacy Laws & Business8 Part 2: The Audit Method Functional Audit

Privacy Laws & Business9 Part 2: The Audit Method Process Audit

Privacy Laws & Business10 Part 2: The Audit Method Interactions with Staff Interaction with staff will occur in 2 main ways: –Staff questioning during Functional or Process Audits using the Audit Checklists –Staff Awareness Interviews via: One-to-one interviews Focus Groups

Privacy Laws & Business11 The Audit Process The Data Protection Audit Lifecycle

Privacy Laws & Business12 Audit Planning The Audit Planning phase covers: –Risk Assessment –Audit Schedule –Selection of Auditor –Pre-Audit Questionnaire –Preparatory Meeting/Visit –Audit Management Checklist

Privacy Laws & Business13 Audit Preparation The Audit Preparation phase covers: –Adequacy Audit –Confirmation of Audit Schedule –Audit Checklists –Sampling Criteria –Audit Plan

Privacy Laws & Business14 The Audit Process Conduct of the Compliance Audit The Compliance Audit phase involves: –Opening Meeting –Audit Environment –Audit Execution: Functional Audit Process Audit Staff Awareness Interviews Recording both positive and negative results

Privacy Laws & Business15 The Audit Process Compliance Audit Reporting The Audit Reporting phase covers: –Non-compliance Records –Non-compliance Categories –Compliance Audit Report –Closing Meeting –Audit Report Distribution –Audit with no Non-compliances

Privacy Laws & Business16 The Audit Process Audit Follow-up The Audit Follow-up phase covers: –Scope –Timescales –Methodology –Audit Closure

Privacy Laws & Business17 Guide to Auditing The Guide to Auditing covers : –The Role of an Auditor –Auditing Tasks Obtaining evidence Assessing the evidence –Human Aspects –Audit Techniques Basis of questions Good questioning techniques Questions to avoid Black box auditing

Privacy Laws & Business18 Guide to Auditing Practical Considerations: Layout of Interview Room Note Taking What to Take to the Audit Auditor’s Code of Conduct –Honesty –Conflict of Interest –Inducements –Confidentiality –Concealment –Professionalism

Privacy Laws & Business19 Audit Materials Part 5 includes the following: –A.Risk Assessment –B.Sampling Criteria –C.Audit Proformas –D.Meeting Proformas –E.Adequacy Audit Checklist –F.Compliance Audit Checklists: Organisational & Management Issues –G.Compliance Audit Checklists: The 8 Data Protection Principles –H.Compliance Audit Checklists: Other Data Protection Issues –J.Process Audit Checklist

Privacy Laws & Business20 Audit Proformas Eight model Audit Proformas are provided: –C.1Audit Schedule –C.2Pre-Audit Questionnaire –C.3Audit Management Checklist –C.4Adequacy Audit Report –C.5Audit Plan –C.6Non-compliance Record –C.7Observation Note –C.8Compliance Audit Report

Privacy Laws & Business21 Meeting Proformas Four model meeting forms are provided: –D.1Preparatory Meeting Agenda –D.2Opening Meeting Agenda –D.3Closing Meeting Agenda –D.4Interview/Focus Group Record Sheet

Privacy Laws & Business22 Compliance Audit Checklists Divided into 3 categories: F:Organisational & Management Issues G:8 Data Protection Principles H:Other Data Protection Issues What is covered? Checklist F covers the following : –F.1Organisational & Management Issues –F.2Documentation Issues –F.3 Key Business Processes

Privacy Laws & Business23 Compliance Audit Checklists What is covered? Checklist G covers the following: –G.1 through to G.8 - the 8 DP Principles Checklist H covers: –H.1 Using Data Processors –H.2 Notification –H.3 Transitional Provisions

Privacy Laws & Business24 Experience from using the Audit Manual Our experience from using the Manual has shown that the DP Audit methodology can: –Be applied to a wide range of organisations, public and private sector, large and small –Be applied to a wide range of business processes e.g. Recruitment/HR process Marketing services Staff subject access requests House-bound Library services Contracts with third party processors Police Enquiries re loyalty card holder Call Centre handling of customer enquiries

Privacy Laws & Business25 Case Study – Royal Mail Draft audit manual tested with 5 organisations of different kinds Royal Mail approached to take part in 1999 Planning – select an area of the organisation to be audited Address Management Centre – Postcode Address File and database of Redirection information

Privacy Laws & Business26 Case Study – Royal Mail Pre-audit questionnaire and preparatory meeting Preparation – review of DP policy, IS policies, Redirection application form, contracts for supply of data Compliance Audit – opening meeting with senior DP staff and management of AMC; check operation of DP systems; interviews with staff to establish how things are actually done

Privacy Laws & Business27 Case Study – Royal Mail Observe process from start to finish Don’t take anything for granted Report – no major non-compliance; one minor non-compliance Benefits for Royal Mail – measure of compliance; increase staff awareness; generates goodwill with the ICO!

Privacy Laws & Business28 How can DP Auditing help you comply with Data Protection Laws? Facilitates compliance with the Data Protection Act and similar laws in other countries Helps compliance with your organisation’s Data Protection System Increases the level of Data Protection awareness among management and staff Provides information for a Data Protection System review Reduces data errors leading to complaints

Privacy Laws & Business29 How can the DP Audit Manual help you? Manual can be used by organisations to form the basis of an internal audit programme User-friendly flowcharts guide you through each stage of the process Complete set of Audit Checklists and proformas provided to: –Serve as “Models of Best Practice” –Act as templates for organisations to adapt to their own requirements

Privacy Laws & Business30 Conclusions The methodology in the IC’s Audit Manual can be a very effective way of assessing data protection compliance The methodology is suited to a wide range of organisations, large or small, public or private sector The methodology can be used for external, supplier or internal audits with equal success The methodology is easy to adapt to individual organisation’s specific requirements

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.