At any point in time, your organisation may find itself subject to an audit by the Data Protection Commission ("DPC") for compliance with the GDPR and the Data Protection Acts 1988-2018.
An ‘authorised officer’ of the DPC can conduct audits on notice to the data controller or processor, and audits do not have to be carried out on foot of a complaint received by the DPC. Such audits may be targeted at a sector or industry.
In order to help your organisation prepare for such an audit, should one arise, outlined below are 5 practical steps you can undertake:
1. Ensure your data protection policies and procedures are GDPR compliant and relevant
The implementation of data protection policies for your staff and customers is one of the most effective ways of demonstrating GDPR compliance. This includes policies on data subjects’ rights, privacy policies, your employee handbook and a data retention policy. Data protection compliance is not a one-size fits all approach and it is important to ensure that your policies are relevant to your organisation’s data processing activities and organisational structure.
2. Training and awareness
During an audit the DPC will inspect whether your policies are being adhered to in practice. It is important to ensure that all staff are trained on their data protection obligations and on the organisation’s policies. The DPC will take into consideration the level of awareness of data protection among employees. You should be able to demonstrate that an appropriate level of training has been provided by maintaining records such as sign in sheets, records of online assessments and relevant literature distributed to your staff.
3. Know your data
Ensure that you have an up to date data processing log (Article 30 GDPR) which documents the range of ways in which your organisation processes personal data. If you process personal data be very clear as to what data you process, why, and on what basis. This exercise will also assist in identifying data processing relationships that require a data processing or data sharing agreement.
4. Be ready
An effective data protection compliance regime will include mock audits. This would include reviewing your policies to ensure they are up to date, ensuring your organisation is capable of dealing with a breach within the 72 hour time period and inspections of the workplace for data security issues such as open files on desks, passwords displayed on post-it notes or staff leaving their desks without locking their screens. You will also need to demonstrate that you have a good reporting system in place so that the organisation is aware that it must report issues to the DPO or the person responsible for Data Protection within the organisation.
5. How secure is your data?
During your mock audit, check that your security system is robust. The organisation, as a Data Controller, must prevent unauthorised access to personal data held by it and by data processors who work for it. Consider technologies like encryption and the anonymization of personal data. If you store data in the cloud, check that you have the appropriate protections in place with your cloud service provider and what your remedies are if the data is compromised in any way. During a data compliance audit, the DPC will want to verify that the appropriate security requirements are in place.