For many organisations compliance with applicable data protection law and safeguarding against data security breaches are increasingly significant business priorities which have been pushed towards the top of their compliance and risk management agenda. In addition, the Data Protection Commissioner (the “DPC”) is continuing to increase the number of audits conducted by her Office on organisations to determine their level of compliance with the Data Protection Acts 1988 and 2003 (the “DPA”).
As a result, there is a growing trend towards organisations conducting internal data protection audits to assess their compliance with the DPA. The purpose of such an audit is to detect any irregularities or issues regarding how the organisation handles personal data and to identify measures that may be taken to remedy these issues and improve the organisation’s compliance with the DPA and best practice.
Data protection audits may be conducted by the organisation itself using its own staff (e.g. legal or compliance personnel) or the organisation may engage external advisors with appropriate expertise to conduct the audit on its behalf. In either case the audit should include a comprehensive assessment of the different ways in which personal data is collected, used, disclosed, stored, secured and destroyed by the organisation, identify the data protection issues within the organisation and detail the options available to the organisation to remedy these issues.
The areas that will generally be covered in a written report of a data protection audit and, where appropriate, referenced in recommendations to remedy any identified instances of non-compliance with applicable data protection law or best practice include the following:
- Collection and use of personal data – the audit report will consider the extent to which data subjects are made aware of the collection and processing of their personal data by the organisation in accordance with the DPA e.g. via data protection notices and statements.
- Security of personal data – the security policies and procedures of the organisation will be considered in light of the obligation under the DPA to implement security measures that are appropriate to the nature of the personal data held by the organisation and the harm that might result from unauthorised processing, disclosure, loss or damage to such data.
- Retention of personal data – the audit report will consider the organisation’s record retention and destruction policies and practices in connection with obligation not to retain personal data for no longer than is reasonably necessary for the purpose(s) for which it was obtained.
- Marketing – the audit report will consider whether any direct marketing activities undertaken by the organisation are compliant with the marketing rules under the DPA and the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (the ‘ePrivacy Regulations’).
- Data Processors – the audit report will assess the extent to which any third parties (e.g. service providers) process personal data on behalf of the organisation as data processors and the steps taken by the organisation to oversee and procure such data processors’ compliance with data protection obligations.
- Registration – the extent to which the organisation is registered with the DPC will be considered and any steps required to remedy non-compliance with the registration requirements will be identified.
- Transfers Abroad – any transfers of personal data outside of the EEA by the organisation or its data processors and the steps taken to ensure compliance with the obligations regarding such transfers will be assessed.