1. Data Protection and Audit

2. Topics Covered
How to Implement the EU General Data Protection Regulation
How to prepare for a data protection Audit
What the DPC will expect: Article 30 requirements; policies, procedures and protocols
Powers of DPC in the context of an audit
Lessons learned – what to expect
How

3. How to Prepare for a Data Protection Audit
Start NOW!
Phase 1 - Gap analysis. Where do we stand currently; what do we need to do
Phase 2 – Implement: recommendations in gap analysis
Phase 3 – Roll out of policies etc; train staff and support the team

4. Preparation for Audit under the GDPR
Carry out Data Mapping exercise
What data do we collect and why?
What is the legal basis for its collection and processing?
How long do we keep it? Why?
Who has access to it?
Have appropriate notifications been made to data subjects?
Where and to whom do we transfer data?
Are the relevant transfer mechanisms in place?
Do we have evidence of compliance with transfer mechanisms? eg privacy shield certification; signed SCCs/consent forms etc?
Are adequate security measures in place?

5. Topics Covered
How To Implement The New EU General Data Protection Regulations
How to prepare for a data protection Audit
What the DPC will expect: Article 30 requirements; policies, procedures and protocols
Powers of DPC in the context of an audit
Lessons learned – what to expect

6. Preparation for Audit under the GDPR
Review the SIX data protection principles and assess how your organisation measures up against their requirements.

7. Main Data Protection Principles
Fair, lawful and transparent
Purpose Limitation
Data Minimisation
Accuracy
Store and Retention Limitation
Security and confidentiality
Overarching principle of Accountability
individual on request (S4)

8. Some GDPR Changes Documenting compliance
Art 12 & Arts Data subject rights
Arts 13 & 14 Notifications to Data Subjects
Art 30 records of processing activity – flows into Privacy Policy and Data Retention policy
Art 24 – implement appropriate technical and organisational measures to demonstrate compliance.
Gap analysis
Policies, procedures and protocols.
Data Transfers – to EEA processors/3rd parties : agreement in writing
Data Transfers ex-EEA entities: agreement in writing and Art requirements

9. Some GDPR Changes Data Protection by Design and by Default
Art 35 DPIA process in place? Guidelines; templates; process?
Integration of privacy by design into system and product development
Training

10. Some GDPR Changes DPOs - Art 37-39 & Recital 97 Do you have one?
Should you have one?
Are their contact details published and notified to DPC?
What is their role? Maintain record of role and responsibilities
Has their appointment and contact information been shared ?

11. Topics Covered
How To Implement The New EU General Data Protection Regulations
How to prepare for a data protection Audit
What the DPC will expect: Article 30 requirements; policies, procedures and protocols
Powers of DPC in the context of an audit
Lessons learned – what to expect

12. Role of the Supervisory Authority
Regulatory
Investigatory
Quasi-Judicial
Provision of Information
Statutory functions
GDPR:
Art 57 tasks
Art 58 powers
Helen Dixon

13. Statutory Powers of the Supervisory Authority
“The Commissioner may carry out…. Such investigation as she considers appropriate in order to ensure compliance with the provisions of this Act...and to identify any contravention thereof.”

14. Statutory Powers of the Supervisory Authority
Investigative powers - scheduled audit or an ‘on the spot’ inspection
Enter premises and inspect data therein
Require any person on the premises to disclose data
Inspect and take a copy or extract information from the data
Require any person to give such information on the procedures used to comply with the DPA, the sources from which the data are obtained, the purposes for which they are kept, the persons to whom they are disclosed and the data equipment on premises.
Obstruction of an authorised officer is an offence
Formal investigation of a complaint - a formal legal notice

15. 2009 DPC Guide to Audit Process (revised 2014)
Authorised officers
Should show ID and authorisation – check them before granting access to servers/data

16. 2009 DPC Guide to Audit Process (revised 2014)
What is an audit?
An independent evaluation of how resources or assets are managed in relation to a particular set of standards
Compliance based
Examination of an organisation’s procedures, policies, systems and records to assess whether it is generally in compliance with data protection legislation requirements
Review of policies, procedures and practices

17. 2009 DPC Guide to Audit Process (revised 2014)
Principal purpose:
“to ascertain whether the audited organisation is operating in accordance with the Data Protection Acts and the ePrivacy Regulations 2011.”
“to identify any risks or possible contraventions of applicable legislation”
Remedial action, improvements and positive findings.

18. 2009 DPC Guide to Audit Process (revised 2014)
Audit format:
Notice period – usually 2 weeks but may be less, particularly if organisation is under investigation
May ask for documents in advance
Dawn raids – no advance notice

19. Investigative Powers of the Supervisory Authority
Provision of information
Data protection audits
Reviews/withdrawals of certifications
Access to premises or data processing equipment
Breach notifications to data subjects
A ban on processing
Suspension of cross-border data flows.

20. Topics Covered
How To Implement The New EU General Data Protection Regulations
How to prepare for a data protection Audit
What the DPC will expect: Article 30 requirements; policies, procedures and protocols
Powers of DPC in the context of an audit
What to expect from the DPC

21. Identification of Audit Targets
Audit target list
Mix of public, private entities
Mix of sectors
Desktop audits

22. Identification of Audit Targets
Complaints
Organisations holding lots of data
Multi-nationals with European HQs in Ireland
Media reports
Another audit leads to the organisation
Regional balance

23. GDPR Audits Must be able to demonstrate compliance
Emphasis on pro-active methodologies
Evidence of a ‘culture of compliance’
Ongoing logging of data breaches
Art 30 log of processing activity
Policies, procedures and protocols must be GDPR ready
Training log

24. Change in Emphasis from DPC?
Administrative fining powers
More prescriptive approach?
Art 60 Co-operation and consistency procedures

25. Priorities Irish Regulator
Priorities

26. Irish Regulator Reactive and proactive enforcement priorities
Reactive priorities
Complaints - GDPR requirement that SA handles every complaint lodged with it (Art 57). Art 56 Local complaints.
NB data subject rights (50% of complaints); organisations must be responsive to complaints or attract higher fines and lead SA’s to your door.
Breach Notifications – Art 33: unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Visibility re abuses and failure to protect personal data that heretofore SA was unaware of as no notification required.
Whistleblowing and media - SA will be responsive to risks and trends it identifies in handling every complaint lodged. Can identify sectors and types of issues.

27. Irish Regulator Proactive priorities Transparency Audits

28. Transparency
“Key to empower data subjects” and exercise of rights by data subjects flow from the knowledge available via transparency
Legal basis- consent – “well informed”?
Privacy notices far too opaque – Art 13/14
Article 29 Working Party paper on Transparency
Provision of information related to fair processing to individuals
Communicating with individuals in relation to their rights under GDPR
Facilitating the exercise by individuals of their rights
Modalities
Layered; just in time; dashboards; physical/web based notices

29. Audits

30. CURRENT Audit ACTIVITY
Local Authorities - DPC Audit of Surveillance Activities
Privacy Accountability Information Sweep (Global Privacy Enforcement Network)

31. Thank you www.collearyandco.com Sara Bloomer 4 Upper Pembroke Street
Dublin 2
Phone: