conducting a self-audit of data protection compliance
DESCRIPTION
Conducting a self-audit of data protection complianceTRANSCRIPT
![Page 1: Conducting a self-audit of data protection compliance](https://reader035.vdocuments.net/reader035/viewer/2022081518/5480427b5906b521298b470d/html5/thumbnails/1.jpg)
Conducting a self-audit of data protection
complianceFintan Swanton,
Association of Data Protection Officers,April 15 2014.
![Page 2: Conducting a self-audit of data protection compliance](https://reader035.vdocuments.net/reader035/viewer/2022081518/5480427b5906b521298b470d/html5/thumbnails/2.jpg)
![Page 3: Conducting a self-audit of data protection compliance](https://reader035.vdocuments.net/reader035/viewer/2022081518/5480427b5906b521298b470d/html5/thumbnails/3.jpg)
Process based on ODPC’s audit template Principally interview-based Usually department by department Deliverable – assessment of compliance
with DP legislation and organisation’s own policies and procedures
Identifying weaknesses and remedial actions
Also highlighting and commending existing good practices
Overview
![Page 4: Conducting a self-audit of data protection compliance](https://reader035.vdocuments.net/reader035/viewer/2022081518/5480427b5906b521298b470d/html5/thumbnails/4.jpg)
Top-level Data Protection Policy
Data protection incident handling procedure & log
Data subject access request handling procedure & log
Standard data protection risk assessment procedure.
Training policy & logs
Policies? What policies?
![Page 5: Conducting a self-audit of data protection compliance](https://reader035.vdocuments.net/reader035/viewer/2022081518/5480427b5906b521298b470d/html5/thumbnails/5.jpg)
Retention and destruction policy, including retention periods.
Procedures and standards for securing and encrypting Personal Data, in particular on networks.
Registration details with ODPC, if applicable.
Evidence of procedures being followed?
Policies? What policies?
![Page 6: Conducting a self-audit of data protection compliance](https://reader035.vdocuments.net/reader035/viewer/2022081518/5480427b5906b521298b470d/html5/thumbnails/6.jpg)
Kinds of personal data? Any sensitive data? Approximate volumes? What staff training is provided? Has your organisation experienced
difficulties in relation to Data Protection? Contracts with 3rd party data processors (or
data controller clients)?
General questions
![Page 7: Conducting a self-audit of data protection compliance](https://reader035.vdocuments.net/reader035/viewer/2022081518/5480427b5906b521298b470d/html5/thumbnails/7.jpg)
Defined data needs prior to acquisition? How is personal data collected? How are subjects given fair obtaining notice? Who supplies the data? With whom is data shared? CCTV? If so, in-house or outsourced? Policies for obtaining Sensitive Personal
Data?
1: Fair obtaining
![Page 8: Conducting a self-audit of data protection compliance](https://reader035.vdocuments.net/reader035/viewer/2022081518/5480427b5906b521298b470d/html5/thumbnails/8.jpg)
Why is this data collected?To whom is the data disclosed?
For what purpose or purposes?When & how are data subjects informed of these purpose(s)?
2: Specified purpose(s)
![Page 9: Conducting a self-audit of data protection compliance](https://reader035.vdocuments.net/reader035/viewer/2022081518/5480427b5906b521298b470d/html5/thumbnails/9.jpg)
Basis for disclosing personal data to others?
Are the purposes for which data were originally acquired clearly recorded?
Is personal data ever gathered for undefined future use?
3: ... not incompatible
![Page 10: Conducting a self-audit of data protection compliance](https://reader035.vdocuments.net/reader035/viewer/2022081518/5480427b5906b521298b470d/html5/thumbnails/10.jpg)
How & where is data stored? How is access to the on-site/ off-site manual
data controlled? IT system access controls / security
procedures? Premises access controls? Password policies? Business Continuity Plan? Data processor selection, contracts & auditing? Overseas transfers (outside of EEA)? If so, adequacy of security at destination?
4: Safe & secure
![Page 11: Conducting a self-audit of data protection compliance](https://reader035.vdocuments.net/reader035/viewer/2022081518/5480427b5906b521298b470d/html5/thumbnails/11.jpg)
How often is data reviewed, updated, or corrected?
How often is data integrity & quality evaluated?
Do you use the data for marketing, business purposes?
Compliance with date requirements of 2011 ePrivacy regulations recorded?
5: Accurate
![Page 12: Conducting a self-audit of data protection compliance](https://reader035.vdocuments.net/reader035/viewer/2022081518/5480427b5906b521298b470d/html5/thumbnails/12.jpg)
Is there a clear purpose for each item of personal data gathered?
Is there a clear purpose for each item of data disclosed?
Is or will all the data required to fulfil the purposes be available?
6: Adequate, relevant, not excessive
![Page 13: Conducting a self-audit of data protection compliance](https://reader035.vdocuments.net/reader035/viewer/2022081518/5480427b5906b521298b470d/html5/thumbnails/13.jpg)
Are expectations set with data subjects regarding data retention?
Do you have a formal retention/destruction policy? Does it include end-of-life hardware, storage
media? Does your policy differentiate between categories
of personal data? What Data destruction methods are used? Are 3rd party processors involved in your data
retention/storage processes? Do you obtain verification of data destruction ?
7: Retention
![Page 14: Conducting a self-audit of data protection compliance](https://reader035.vdocuments.net/reader035/viewer/2022081518/5480427b5906b521298b470d/html5/thumbnails/14.jpg)
Formal Subject Access Request (SAR) response procedure / log?
Policy of charging €6.35 in order to process an SAR?
Who is authorised to make disclosures of Personal Data?
What is your time-line for data retrieval? Are there grounds for exemption?
8: Subject access rights
![Page 15: Conducting a self-audit of data protection compliance](https://reader035.vdocuments.net/reader035/viewer/2022081518/5480427b5906b521298b470d/html5/thumbnails/15.jpg)
Registration & notification Formally registered with ODPC? Who’s responsible for registration? How often are registrable particulars
reviewed? Policy for notifying the Commissioner in the
event of breach? Policy for notifying the data subject in the
event of breach? Log for breaches?
![Page 16: Conducting a self-audit of data protection compliance](https://reader035.vdocuments.net/reader035/viewer/2022081518/5480427b5906b521298b470d/html5/thumbnails/16.jpg)
Securing workstations? Securing manual data:
◦ Clean desks?◦ Copiers & printers?◦ Documents for shredding?
Securing portable equipment & storage media?
Premises access control, security?
Walkaround
![Page 17: Conducting a self-audit of data protection compliance](https://reader035.vdocuments.net/reader035/viewer/2022081518/5480427b5906b521298b470d/html5/thumbnails/17.jpg)
www.dataprotection.ie◦ “Data Protection Audit Resource”
www.ico.gov.uk◦ “Data Protection Audit Manual”
Resources
![Page 18: Conducting a self-audit of data protection compliance](https://reader035.vdocuments.net/reader035/viewer/2022081518/5480427b5906b521298b470d/html5/thumbnails/18.jpg)
Fintan Swanton
Swanton Information Systems Ltd
01 685 4474 / 086 827 1273
Questions?