In June 2018, the UK Information Commissioner’s Office issued new guidance around the process they use to conduct a data protection audit, and the steps required to be reviewed. This guidance was part of the Regulatory Action Policy.
Opinion Piece by Paul Gillingwater, MBA, CISM, CISSP
What’s involved in such an audit
According to ICO guidelines, the following areas can be expected as topics when the ICO conducts an on-site audit data protection, which will normally take three days, and be completed within a month.
The ICO doesn’t only handle data protection issues, however, as audits may also encompass Privacy and Electronic Communications Regulation (PECR 2003), the Freedom of Information Act (FOIA 2000) and other regulations.
The laws which the ICO is responsible for enforcing include:
- Data Protection Act 2018 (DPA)
- General Data Protection Regulation (GDPR)
- Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR)
- Freedom of Information Act 2000 (FOIA)
- Environmental Information Regulations 2004 (EIR)
- Environmental Protection Public Sector Information Regulations 2009;7
- Investigatory Powers Act 2016
- Re-use of Public Sector Information Regulations 2015
- Enterprise Act 2002
- Security of Network and Information Systems Directive (NIS Directive)
- Electronic Identification, Authentication and Trust Services Regulation (e-IDAS)
Scope of an ICO Data Protection Audit
The following is based on information from the ICO and provides guidance on the areas that a data protection audit will cover.
Data Protection Governance
The extent to which data protection responsibility, policies and procedures, performance measurement controls, and reporting mechanisms to monitor DPA compliance are in place and in operation throughout the organisation.
Without a robust governance process for evaluating the effectiveness of data protection policies and procedures there is a risk that personal data may not be processed in compliance with the Data Protection Act 2018 resulting in regulatory action and/or reputational damage.
Training and Awareness
The provision and monitoring of staff data protection training and the awareness of data protection requirements relating to their roles and responsibilities.
Proper training is essential to maintaining strong privacy controls. Lapses in basic training such as correct use of BCC in email have led to substantial fines with a wide variety of organisations. Records of training should be maintained to show who has been trained and when, and how often the training was refreshed or updated.
Records Management (manual and electronic)
The processes in place for managing both manual and electronic records containing personal data. This will include controls in place to monitor the creation, maintenance, storage, movement, retention and destruction of personal data records.
An organisation cannot appropriately manage its risks if it doesn’t know what data it holds, and how the data is managed. Retention and disposal of data is also mandatory.
Security of Personal Data
The technical and organisational measures in place to ensure that there is adequate security over personal data held in manual or electronic form.
Such measures are essential. Most data breaches are a result of hacks, which are exploits of vulnerabilities that should have been prevented.
Subject Access Requests
The procedures in operation for recognising and responding to individuals’ requests for access to their personal data.
Not being able to fulfil a Subject Access Request in a timely manner presents the risk that the individual may complain to the supervisory authority, thus triggering an investigation and possible enforcement action.
The design and operation of controls to ensure the sharing of personal data complies with the principles of the Data Protection Act 2018 and the good practice recommendations set out in the Information Commissioner’s Data Sharing Code of Practice.
Ensuring that such data sharing decisions are legal, appropriate, balanced and proportional will reduce the risk of violating GDPR and DPA guidelines.
Privacy Impact Assessments
An effective PIA will be used throughout the development and implementation of a project, using existing project management processes. A PIA enables an organisation to systematically and thoroughly analyse how a particular project or system will affect the privacy of the individuals involved.
Where a processing activity has potentially high risks, carrying out a PIA is essential to demonstrate that appropriate mitigating controls have been identified to manage the risks.
Freedom of Information (Public authorities only)
The processes in place to respond to any requests for information and the extent to which FOIA/EIR responsibility, policies and procedures, training, performance controls, and compliance reporting mechanisms are in place and in operation throughout the organisation.
Although not directly a data protection risk, FOIA violations can lead to sanctions from the ICO under the FOIA law.
The processes and procedures associated with the detection, classification and reporting of data breaches, including the notification of data subjects where appropriate.
Breaches are a clear sign that technical and organisational measures are inadequate, or that training is deficient. A poorly-managed breach may lead to enforcement action.
Legitimate Interests Assessments
Where Legitimate Interests have been used for processing activities, a documented Legitimate Interests Assessment (LIA) should be available for inspection.
Evidence that the LIA was conducted will help to prevent enforcement action in case of customer complaints – but only if the LIA truly shows that the balancing test and necessity were clearly considered.
What documented strategies have been followed in managing data protection within the enterprise?
Without a data protection strategy, organisations will have a hard time knowing how to prioritise their resources and may fail to cover the most important areas of risk.
Review all of the required policies, include overall data protection (that includes all confidential data and not just personal data), data privacy policies (internal and external) and privacy notices.
An organisation without policies and processes is evidence of a complete lack of a compliance culture and is likely to attract a high level of penalties.
A general review of documented procedures, such as security incident handling, escalation, SAR processing, breach notification, etc.
Incorrect or poorly-documented procedures can lead to inconsistent responses to security incidents. This, in turn, is evidence of poor security management.
Protocols (Data sharing agreements)
Data sharing agreements – sometimes known as ‘data sharing protocols’ – set out a common set of rules to be adopted by the various organisations involved in a data sharing operation.
These could well form part of a contract between organisations. It is good practice to have a data sharing agreement in place, and to review it regularly, particularly where information is to be shared on a large scale, or on a regular basis.
Best practice means ensuring the appropriate data sharing agreements are in place.
Records of guidance that have been received from a variety of sources, including legal advisors, which explains and clarifies details regarding certain activities under data protection. The ICO may be one source of such guidance, while the EDPB may be another that can be relied upon.
Any enterprise should rely on appropriate sources of guidance, as the law is changing based on legal precedents and judicial decisions.
Codes of Practice
The GDPR encourages that a variety of industry groups can draft and approve Codes of Practice for their industry. Where such Codes have been drafted and approved by a suitable Data Protection Authority, they may be relied upon as guidance for processing activities.
A good Code of Practice can strengthen privacy, and carve out special exceptions from the general rules, taking into account the needs of a business.
A variety of privacy and information security and governance frameworks are available. This assessment will identify if an appropriate framework is being used, and will determine its effectiveness.
Use of a framework will reduce the risk that some areas may be missed.
Memoranda of Understanding
Typically, these are more often used in relationships between various public authorities. They are used to regulate responsibilities and to clarify roles in much the same way that Data Processing Agreements are used by businesses.
For example, a MoU can be used to formalise information and intelligence sharing between different statutory bodies, including those outside of the U.K.
Verbal agreements may sometimes be imprecise. Having written MoAs ensures that different parties are aware of their responsibilities.
This may include Data Processing Agreements, as well as other 3rd party contracts, employment contracts, supplier contracts and customer Terms and Conditions, all of which may need revisions to include privacy elements and accountability. Note that contracts may not be used to limit statutory liability.
Legal liability may be limited by appropriate contracts.
Privacy Statements (also known as Privacy Notices.)
As per contracts above. These are essential for communication with individuals to clearly and unambiguously explain their rights, and how to exercise them.
To summarise, Chaucer can help you to ensure your business is ready for such an audit by conducting a pre-audit in the first instance.
Any weaknesses in controls or missing documentation can be identified, and gaps documented to guide a remediation program to ensure compliance is at the required standard, providing you with assurance of readiness.