Tomorrow is International Data Protection Day and it is worth noting that the Office of the Data Protection Commissioner (the “DPC”) has the power to Audit companies for compliance with the Data Protection Act. Audits can occur at any time, even though you may have done nothing wrong. Audits can be triggered by a complaint received by the DPC or because the DPC believes that an audit is warranted – for whatever reason.
Kate Colleary, Head of the Data Protection Group at Eversheds, Solicitors sets out some tips to help companies prepare for the day of reckoning.
When a DPC audit occurs, it is usually a scheduled event, preceded by a letter setting out any specific issues which the DPC would like to address. “However, the DPC’s team sometimes carries out unannounced audits by presenting themselves at a premises and asking for access to databases, servers and other personal data storage systems,” Colleary says. “The DPC’s team will usually have a checklist of areas that they will want to address. This may include a direct inspection of personal data storage systems, an examination of privacy policies, breach files, and/or interviews with employees. The DPC may check a random sample of documents or processes in each area of concern. If the team is satisfied with the responses received, they may move on to another of concern. If not, the team is likely to keep investigating the details until they reach a conclusion.”
“My main recommendation for companies is to prepare well in advance for an audit” says Colleary. “Last October we heard that while current spending on the DPC stands at approximately €1.7 million annually, there is an expectation that this could be increased by about two-thirds or more. An office is also being opened in Dublin, to support the body’s headquarters in Portarlington, Co Laois. This further resourcing of the DPC is likely to result in more audit activity in 2015. We have set out some tips to help companies prepare for this.”
5 tips to prepare for a data protection audit.
1 – Know your data protection policies and processes
Keep a file of all your data protection policies – for your own staff and for customers. Industry associations and other groups may offer sample policies and procedures which you can adapt for your company. Make sure that you also have a data retention policy and that staff are trained in your policies. The DPC will want to see a level of awareness of data protection among the company employees.
2 – Practice makes Perfect
Carry out an annual “practice–run”. Check your data protection policies and processes file – is it up to date? Are you still processing personal data in accordance with the policies? Are there new areas of business that involves processing personal data that are not covered? “We recommend that our clients perform an annual data protection compliance audit. We often carry out the first audit for a client and give them a checklist which they can follow in future, as well as a list of deficiencies to be remedied. It’s much better that we, as the client’s lawyers, discover any potential issues and rectify them rather than the issues being identified for the first time by the DPC” says Collear.
3 – Security is key
During your annual “practice-run” audit, check that your security system is robust. Does the security system meet 2015’s standards or has it not been reviewed since installation in the 1990’s? As a Data Controller, you must prevent unauthorised access to personal data held by you and by data processors who work for you. Consider technologies like encryption and physical safeguards, such as locked storage within the company. During a data compliance audit, the DPC will want to verify that the appropriate security requirements are in place and working properly.
4 – Sensitivity
Know your data. If you process personal data – be very clear as to what data you process, why, and on what basis. This is particularly important if you process “sensitive personal data” such as health data, details of criminal convictions, trade union membership details etc. There are more stringent security and processing requirements for sensitive data, and it is essential that these are followed.
5 – Breaches
If the DPC is carrying out an audit because of a breach where personal data has been compromised, she is likely to want to investigate immediately. If this happens, make sure that you have a list of your “A-Team” who you can call on to assist. “This should include directors/key decision makers in the organisation, your lawyers, compliance officer(s) and PR people. If a breach has occurred, things move very quickly” says Colleary. “It is important that the right people are involved in the process from the start of the investigation to limit the damage as much as possible.”