New national Privacy Law in Qatar - countdown to compliance
With the new national Privacy Law (13 of 2016 Concerning Privacy and Protection of Personal Data) to be gazetted any day now in Qatar, a new era of compliance concerns has been ushered in. Once the Law is published in the Official Gazette, a six-month compliance grace period will begin in order to allow entities doing business in Qatar to revisit internal procedures and ensure that their data processing operations are in line with the new legal requirements the Law will present.
Many clients are already actively taking such steps towards compliance, or have at least begun to assess their current data processing activities to identify where such steps will need to be taken. The most efficient and comprehensive way to achieve this is by way of a data protection audit - which is also, in fact, now a legal requirement pursuant to the Law.
Data protection audits – not just best practice anymore
Article (11) of the Law sets out a list of actions that all data controllers are required to take in order to ensure compliance. Included amongst these is a requirement to conduct a "comprehensive audit and review about the extent of compliance" to ensure that a company's business policies and procedures are aligned with the new obligations of the Law. The Law does not, however, provide any further guidance as to how such an audit is to be conducted. Helpfully, however, we have already been very active in providing data protection audits to clients in many countries around the world and are increasingly receiving such support requests to assist our Qatar-based clients in complying with this new legal obligation.
What does a data protection audit involve?
In short, the point of a data protection audit is to conduct a comprehensive review and assessment of the types of personal data that a company uses in its day-to-day operations and the manner in which such data is used. A kick-off interview is conducted with the key point of contact for the company where such data sets are identified, along with each relevant department that is responsible for the use of the data. Typically, depending on the nature of the company, this would include Human Resources, Customer Service, Information Technology, Finance and Marketing. A key point of contact for each such department is identified (typically the department manager) and is interviewed by the auditor. The auditor determines exactly what kinds of personal data the department is using, the security standards in place to protect it from unauthorised access, the purposes for which the data is being used, the duration for which the data is retained and any other relevant controls or procedures that are in place (or yet to be implemented) in connection with the data.
On the basis of the findings from the interviews, the auditor then prepares a report and "heat map" which identifies areas where the company is compliant with legal obligations on data management, but also identifies any potential risks and/or areas of weakness where improved compliance steps should be taken – and suggests exactly what form those steps should take. The duration of the process will vary depending on the size of the company and scope of the data it is using, but can typically be completed over the course of two weeks.
What are the benefits of a data protection audit?
Aside from identifying any potential compliance gaps in company operations and making corresponding recommendations on how to resolve them, the data protection audit can also act as a very valuable shield to a company if it ever becomes subject to a complaint or investigation by relevant data protection authorities.
Indeed, the very fact that the company has taken the initiative to conduct an audit demonstrates that the company takes its data management obligations seriously. And this can act as a powerful potential line of defence in the context of a complaint - for example, if the company has suffered an inadvertent data breach (which is unfortunately becoming all too commonplace in the increasingly digital world in which companies are operating).
Who can conduct a data protection audit?
Whilst it is indeed possible to conduct a data protection audit internally, it is not advisable from a best practice standpoint. This is because the results may not be as objective as if it had been conducted by an independent third party auditor/legal adviser. In addition, and for this reason, the potential wider value proposition that the audit would have in the context of a future complaint or investigation would also be compromised if conducted internally.