The proposed draft Data Protection Regulation (the “Proposed Regulation”) introduces a new requirement for impact assessments to be conducted by data controllers under certain circumstances. Data protection impact assessments are a form of “self-check”. Some of the circumstances in which a data protection impact assessment is necessary are clear (eg, when processing biometric data), but other circumstances are vague (eg, when data processing operations “are likely to present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes”). As part of the data protection impact assessment the views of the individuals whose data are being processed need to be obtained. This will lead to significant compliance costs for affected businesses. The European Commission estimates that such data protection impact assessments can range in cost from €14,000 for a small-scale assessment (as defined in the European Commission Working Paper on Impact Assessments published in January 2012), to €34,500 for a medium-scale assessment, and then to €149,000 for a large-scale assessment. Recital 72 of the Proposed Regulation provides that multiple data controllers engaged in a common project may conduct a single impact assessment covering the entire project, which might reduce compliance costs.
On 5 October 2012, the Article 29 Data Protection Working Party (the “Working Party”) published an Opinion 08/2012 (the “Opinion”) providing further guidance on the Proposed Regulation. In its Opinion, the Working Party stated that general requirements on how to assess whether or not a processing operation presents specific risks (and therefore requires a data protection impact assessment) may be laid down in a delegated act (read our piece on 'Authority delegated to the Commission'). The Working Party added that further guidance may be issued by the European Data Protection Board (the body which is proposed to replace the Working Party under the Proposed Regulation), provided that any possible list of processing operations that would be identified as presenting specific risks will not be exhaustive.
In addition, Article 34 provides that businesses will be required to consult the relevant supervisory authority prior to the processing of personal data where a data protection impact assessment is required. Where the supervisory authority considers that the assessment insufficiently identifies or mitigates risks it can prohibit the intended processing. Where a data controller or processor is established in more than one EU Member State then the competent authority is where the controller or processor has its main establishment (defined in the Proposed Regulation as the “central place of its administration in the Union”).
Article 34(2) also provides that a data processor may now under some circumstances consult the data protection authority on the data controller’s behalf with regard to clarification of certain questions.
Purpose of self-checks
Audits referred to as “self-checks” are frequently conducted in-house by data controllers and data processors themselves or with the help of independent third-party experts. Self-checks are carried out for the following purposes:
- To verify that an entity’s policies, codes of practice, guidelines and procedures meet the requirements of the Acts;
- To identify potential gaps and weaknesses in the entity's data protection regime;
- To increase the level of data protection awareness among management and staff; and
- To improve customer satisfaction by reducing the likelihood of errors which could lead to a complaint.
Method of audit
The most common types of self-checks are adequacy audits and compliance audits. Adequacy audits simply examine on a superficial level whether the entity’s data protection procedures are adequate in the context of the Acts. Compliance audits go further and test how the system is applied in practice. These two types of audits are often combined, with adequacy audits being followed by compliance audits.
The audits will cover the following:
- An identification of the data processed by the entity and whether these are personal data;
- An examination of the methods used for the collection of personal data;
- An evaluation of whether data are adequate, relevant and not excessive for the purpose in relation to which they are sought;
- The compilation of a list of third-party disclosures (inside and outside Ireland); and
- An analysis of the storage processes for personal data.
First, the purposes for which the entity processes personal data must be examined. Then questions should be answered in relation to each individual purpose in order to assess compliance with key data protection principles. Questionnaires will touch on a large number of topics in relation to data protection law, such as the accuracy of the data, the length of time for which it is retained, and the third parties to whom it is disclosed.
- Determine whether the audit will be conducted by an independent third-party expert or by the entity itself.
- Determine the scope of the audit and decide whether to audit the entity's operations as a whole or to limit the audit to a particular function (such as engineering or HR).
The Data Protection Commissioner (the “DPC”) has identified the following steps as being useful in the context of self-checks:
- The audited entity should identify the types of personal data it holds, listing all information repositories holding personal data and their location;
- The flow of personal data flows should be charted both within an entity, and outside it, listing all third-parties to which information is disclosed and assess these disclosures to ensure they are legitimate;
- Access rights to personal data should be examined across the various different repositories identified in the audit;
- The audited entity should be broken down into functional units, and assessed whether access rights are appropriate based on the needs of each unit;
- The possibility of installing filters should be investigated, thereby creating tiered access to subsets of data;
- Logging and reporting functionality should be reviewed for all systems holding personal data;
- Other system controls should be examined, for example, those that facilitate the copying and pasting of records into word processing applications or emails, and connections to printers; and
- Regular reviews of access control and user provisioning policies should be conducted, especially with regard to situations where a user’s role and duties within the entity changes.
Once the audit has been completed, the following issues should be considered:
- Procedures should be reviewed periodically to ensure that any compliance issues have been resolved;
- Guidelines should be circulated to all employees within the entity, highlighting compliance issues and providing practical guidance on how to resolve the relevant issue; and
- Formal staff training structure requirements under data protection should take place at induction stage for all employees.