Does your firm process personal data? Are you confident that you are fully compliant with data protection law?
The Data Protection Commissioner has the power to conduct scheduled audits on any data controller or data processor operating in Ireland to assess and ensure compliance with data protection law. He can also carry out ‘on the spot’ or unscheduled inspections and formal investigations in response to specific complaints. Audits can be targeted to focus on a particular issue or can be more general in nature.
A broad range of organisations are selected for audit each year and those audited are listed in the Data Protection Commissioner’s annual reports. If your firm handles personal data you could be selected for audit.
To identify any deficiencies in your present state of compliance you should conduct an audit in relation to your data protection policies, procedures, systems, records and controls having regard to your regulatory obligations. A good place to start is with a High Level Fact Find addressing all areas of exposure to data protection risk, for example:
- Collection and processing of personal data;
- Identification of data processors and associated contracts;
- Third party disclosures;
- Registration with the Data Protection Commissioner;
- Data protection policy;
- Staffing and reporting structures;
- Staff awareness and training;
- Planning and implementation of data protection standards;
- System audits and reviews;
- Job descriptions and staff contracts;
- Key business processes.
Depending on your resources you might then limit your review to checklists for compliance with each of the 8 Data Protection Principles, risk charts, detailed examinations of one or more specific areas in which personal data is handled by your firm, or a combination of these options. In addition to a focus on the 8 Principles, it is important to look at issues surrounding the transfer of personal data by your firm outside of the EEA.
The results of an audit can benefit your firm in a number of ways, including the following:
- It will identify system weaknesses and areas where corrective action is needed in advance of any audit by the Data Protection Commissioner;
- It will reduce potential risks faced by your firm, for example, the inappropriate use of personal data, data theft or loss, unlawful disclosure of personal data or unauthorised employee access;
- It will identify the level of awareness of data protection obligations throughout the firm and will inform training needs;
- It will give you peace of mind that you are in full compliance with data protection law and will inform your compliance monitoring program;
- If you are required to register with the Data Protection Commissioner, the results will assist you in preparing an application for registration or renewal of registration;
- If you are a credit institution or insurance undertaking, the results will be important in the context of the Compliance Statement to be signed on an annual basis by the firm's directors under the Corporate Governance Code for Credit Institutions and Insurance Undertakings 2010.
The Data Protection Audit Resource published by the Data Protection Commissioner’s Office in January 2009 is a useful guide to data protection audits and can be found here.
You can also contact us at Compliance Ireland for assistance in carrying out your data protection audit.