The Data Protection Commissioner (DPC) has published a new Data Protection Audit Resource for organisations to increase data protection awareness and compliance. It is designed to help organisations selected for audit by the Office of the Data Protection Commissioner (ODPC). It will assist organisations to conduct a self-assessment of their compliance with their obligations under the Data Protection Acts 1988 & 2003 (the Acts).
The ODPC has been conducting compliance audits since 2003, to ascertain whether a particular organisation is operating in compliance with the Acts, and to review how effective an organisation is in adhering to policies concerning the handling of personal data. The ODPC can carry out scheduled audits or 'on the spot' unannounced inspections.
The ODPC may seek immediate remedial action such as rectification, blocking or deletion of data. It may issue public statements and warnings or publish the principal findings of an audit in the annual report of the DPC. This "naming and shaming" sanction is a well-recognised incentive for any organisation to ensure their compliance with the Acts. The DPC may also utilise his legal enforcement powers to bring about a change in an organisation's data protection practices.
The Audit Resource contains information on the audit method used by the ODPC during the actual inspection, sample audit questions, and a self-help checklist on data protection policy to help organisations identify areas which need improvement. All organisations handling personal data would be well-advised to read the Audit Resource.
The Audit Resource is available to view or download from the Data Protection Commissioner's website at: www.dataprivacy.ie.