Presentation is loading. Please wait.

Presentation is loading. Please wait.

Preparing for a data protection audit 28 September 2017

Published byAudrey Marshall Modified over 6 years ago

Similar presentations

Presentation on theme: "Preparing for a data protection audit 28 September 2017"— Presentation transcript:

1 Preparing for a data protection audit 28 September 2017

2 Topics Covered How to prepare for a data protection audit
What the DPC will expect: Article 30 requirements; policies, procedures and protocols Powers of DPC in the context of an audit Lessons learned – what to expect

3 Topics Covered How to prepare for a data protection Audit
What the DPC will expect: Article 30 requirements; policies, procedures and protocols Powers of DPC in the context of an audit Lessons learned – what to expect

4 How to prepare for a data protection Audit
Start NOW! Phase 1 - Gap analysis. Where do we stand currently; what do we need to do Phase 2 – Implement: recommendations in gap analysis Phase 3 – Roll out of policies etc; train staff and support the team

5 Preparation for audit under DPA and GDPR
Carry out Data Mapping exercise What data do we collect and why? What is the legal basis for its collection and processing? How long do we keep it? Why? Who has access to it? Have appropriate notifications been made to data subjects? Where and to whom do we transfer data? Are the relevant transfer mechanisms in place? Do we have evidence of compliance with transfer mechanisms? eg privacy shield certification; signed SCCs/consent forms etc? Are adequate security measures in place?

6 Topics Covered How to prepare for a data protection Audit
What the DPC will expect: Article 30 requirements; policies, procedures and protocols Powers of DPC in the context of an audit Lessons learned – what to expect

7 Main Data Protection Principles - DPA
Fair Collection and Processing – “obtain and process data fairly” (S2(1)(a)) Obtained for one or more specified, explicit and lawful purposes (S2(1)(c)(i)) Use and disclose data only in ways compatible with those purposes (S2(1)(c)(ii)) Keep it safe and secure (S2(1)(d)) Keep data accurate, complete and up to date (S2(1)(b)) Ensure that the processing is adequate, relevant and not excessive (S2(1)(c)(iii)) Retain for no longer than is necessary for the purpose or purposes (S2(1)(c)(iv)) Give a copy of his/her personal data to an individual on request (S4)

8 Preparation for audit under DPA and GDPR
Review the 8 principles and assess how your organisation measures against their requirements

9 GDPR Principles - 8 principles reframed:
Art 5 lawfulness, fairness and transparency Purpose limitation Data minimisation Accuracy Storage or retention limitation Integrity and confidentiality accountability

10 Some GDPR Changes Documenting compliance
Art 12 & Arts Data subject rights Arts 13 & 14 Notifications to Data Subjects Art 30 records of processing activity – flows into Privacy Policy and Data Retention policy Art 24 – implement appropriate technical and organisational measures to demonstrate compliance. Gap analysis Policies, procedures and protocols. Data Transfers – to EEA processors/3rd parties : agreement in writing Data Transfers ex-EEA entities: agreement in writing and Art requirements Art 30 records of processing activity flows into Privacy Policy and Data Retention policy

11 Some GDPR Changes Data Protection by Design and by Default
Art 35 DPIA process in place? Guidelines; templates; process? Integration of privacy by design into system and product development Training

12 Some GDPR Changes Do you have one? Should you have one?
DPOs - Art & Recital 97 Do you have one? Should you have one? Are their contact details published and notified to DPC? What is their role? Maintain record of role and responsibilities Has their appointment and contact information been shared ?

13 Topics Covered How to prepare for a data protection Audit
What the DPC will expect: Article 30 requirements; policies, procedures and protocols Powers of DPC in the context of an audit Lessons learned – what to expect

14 Role of the Supervisory Authority
Helen Dixon Regulatory Investigatory Quasi-Judicial Provision of Information Statutory functions GDPR: Art 57 tasks Art 58 powers

15 Statutory powers of the Supervisory Authority
“The Commissioner may carry out…. Such investigation as she considers appropriate in order to ensure compliance with the provisions of this Act...and to identify any contravention thereof.”

16 Statutory powers of the Supervisory Authority
Investigative powers – (S10 & 24 DPA) - scheduled audit or an ‘on the spot’ inspection Enter premises and inspect data therein Require any person on the premises to disclose data Inspect and take a copy or extract information from the data Require any person to give such information on the procedures used to comply with the DPA, the sources from which the data are obtained, the purposes for which they are kept, the persons to whom they are disclosed and the data equipment on premises. Obstruction of an authorised officer is an offence Formal investigation of a complaint - a formal legal notice (S12 DPA)

17 2009 DPC Guide to Audit Process (revised 2014)
What is an audit? An independent evaluation of how resources or assets are managed in relation to a particular set of standards Compliance based Examination of an organisation’s procedures, policies, systems and records to assess whether it is generally in compliance with data protection legislation requirements Review of policies, procedures and practices

18 2009 DPC Guide to Audit Process (revised 2014)
Audit format: Notice period – usually 2 weeks but may be less, particularly if organisation is under investigation May ask for documents in advance Dawn raids – no advance notice (S24 DPA)

19 2009 DPC Guide to Audit Process (revised 2014)
Authorised officers (S24 DPA) Should show ID and authorisation – check them before granting access to servers/data

20 2009 DPC Guide to Audit Process (revised 2014)
Principal purpose: “to ascertain whether the audited organisation is operating in accordance with the Data Protection Acts and the ePrivacy Regulations 2011.” And “to identify any risks or possible contraventions of applicable legislation” The audit will identify any gaps and weaknesses and review how effective an organisation is in its adherence to policies concerning the handling of personal data. An assessment will be made whether the organisation is operating in accordance with its own documented data protection or privacy related policies, sectoral codes of practice, guidelines and procedures. Remedial action, improvements and positive findings.

21 Art 58 GDPR – investigative powers of the Supervisory Authority
Provision of information Data protection audits Reviews/withdrawals of certifications Access to premises or data processing equipment Breach notifications to data subjects A ban on processing Suspension of cross-border data flows.

22 Topics Covered How to prepare for a data protection Audit
What the DPC will expect: Article 30 requirements; policies, procedures and protocols Powers of DPC in the context of an audit Lessons learned – what to expect

23 Identification of audit targets
Audit target list Mix of public, private entities Mix of sectors Desktop audits

24 Identification of audit targets
Complaints Organisations holding lots of data Multi-nationals with European HQs in Ireland Media reports Policy areas Research organisations Representatives of particular sectors & comparators Another audit leads to the organisation Regional balance

25 GDPR Audits Must be able to demonstrate compliance
Emphasis on pro-active methodologies Evidence of a ‘culture of compliance’ Ongoing logging of data breaches Art 30 log of processing activity Policies, procedures and protocols must be GDPR ready Training log

26 Change in emphasis from DPC?
Administrative fining powers More prescriptive approach? Art 60 Co-operation and consistency procedures

27 Frontier Privacy Gap analysis Data Mapping
Drafting Policies, procedures, protocols, contracts Training Outsourced DPO/DPO-assistance programme

28 Frontier Privacy Kate Colleary Co-founder /Director 4 Upper Pembroke Street Dublin 2, Ireland Tel: Mob:

Download ppt "Preparing for a data protection audit 28 September 2017"

Similar presentations

Identifying Data Protection Issues Developing Lifelong Learner Record Systems and ePortfolios in FE and HE: Planning for, and Coping with, Legal Issues.

Identifying Data Protection Issues Developing Lifelong Learner Record Systems and ePortfolios in FE and HE: Planning for, and Coping with, Legal Issues.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
The Good Practice Guide – what we look for during an Audit of a Credit Union Billy Hawkes Data Protection Commissioner Credit Unions.

The Good Practice Guide – what we look for during an Audit of a Credit Union Billy Hawkes Data Protection Commissioner Credit Unions.
Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
Information Commissioner’s Office: data protection Judith Jones Senior Policy Officer Strategic Liaison – public security 16 November 2011.

Information Commissioner’s Office: data protection Judith Jones Senior Policy Officer Strategic Liaison – public security 16 November 2011.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Implementation of Security and Confidentiality in GP Practices.

Implementation of Security and Confidentiality in GP Practices.
Data Protection Act AS Module 1 10.8 Heathcote Ch. 12.

Data Protection Act AS Module Heathcote Ch. 12.
Local Government Reform: Incorporating Planning Functions Ken Macdonald Assistant Commissioner (Scotland & Northern Ireland) Information Commissioner’s.

Local Government Reform: Incorporating Planning Functions Ken Macdonald Assistant Commissioner (Scotland & Northern Ireland) Information Commissioner’s.
INTRODUCTION TO DATA PROTECTION An overview of the Irish Data Protection legislation.

INTRODUCTION TO DATA PROTECTION An overview of the Irish Data Protection legislation.
Can you share? Yes you can!! Angus Council Adult Protection Maureen H Falconer, Senior Policy Officer Information Commissioner’s Office.

Can you share? Yes you can!! Angus Council Adult Protection Maureen H Falconer, Senior Policy Officer Information Commissioner’s Office.
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
Introduction to the Australian Privacy Principles & the OAIC’s regulatory approach Privacy Awareness Week 2016.

Introduction to the Australian Privacy Principles & the OAIC’s regulatory approach Privacy Awareness Week 2016.
Data protection—training materials [Name and details of speaker]

Data protection—training materials [Name and details of speaker]
Www.clarkholt.com Clark Holt Limited (Co. No. 8774683), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.

Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
Data Protection Officer’s Overview of the GDPR

Data Protection Officer’s Overview of the GDPR
Accountability & Structured Privacy Management

Accountability & Structured Privacy Management
Making the Connection ISO Master Class An Overview.

Making the Connection ISO Master Class An Overview.

Similar presentations

Ads by Google