A Data Protection Audit should be part of all businesses general compliance procedures. It helps to ascertain and if required ensure compliance with the Data Protection Act 1998; it provides a valid source of information for improvements; it helps to ensure that management and staff know their responsibilities and comply with them in their everyday tasks; and it helps to improve customer satisfaction and minimise the likelihood of complaints.
How to do it?
First of all, the business should decide who will carry out the audit and document in writing both the audit procedure and the outcome of the audit.
Secondly, the business should decide which parts/divisions of the business as a whole is to be audited and identify those key areas of the organisation that are likely to be particularly involved in the processing of personal data, such as human resources (including payroll, employee benefits and so on), IT (to determine security and contingency measures in place), marketing and customer sales and support.
Next, the business should select who will carry out the audit. It could be external or internal to the business. In any case, the business should:
? Ensure that the person carrying out the audit is independent of the function or department that is audited. The organisation can choose either an external or internal auditor.
? Check that the chosen auditor has been trained to a sufficient level of competence in the skills and know-how required for both conducting and managing audits. This should include: knowledge and understanding of data-protection issues in general, and of the DPA and other legislative requirements in particular and familiarity with assessment techniques (examining, questioning, evaluating and reporting) and management skills (planning, organising, communicating and directing).
? Look for auditors who have demonstrable experience in data protection-related activities.
The audit could be conducted using one of two alternative techniques to conduct an audit:
? Personal interview: This involves one auditor, or several, conducting interviews with representatives from each of the departments selected for audit.
? Customised questionnaire: This involves the development of a customised questionnaire, in which the majority of questions can be answered through the ticking of boxes.
Once the audit information has been consolidated, problem areas for each of the departments will become apparent. Draft department-specific compliance profiles which outline practical ways of correcting non-compliant procedures, and distribute these to the relevant departments for implementation. Compliance profiles should identify:
? The agreed corrective action to be taken in each case.
? The person responsible for ensuring that corrective action is taken.
? The date when the corrective action must be completed.
How to deal with post-audit issues
If the audit discovers any instances of non-compliance, then you should
? Prepare guidelines and circulate them to all employees within the organisation, highlighting compliance issues and providing practical guidance on how to resolve the relevant issue (for example, making it clear that data should only be retained for six months, after which databases should be cleansed). Anassutzi and Co can help you in any step of this process.
? Ensure that employees involved in the collection or processing of personal data attend regular training courses to make sure that the organisation's privacy practices keep pace with data protection and privacy laws as they develop. The Information Commissioner's Office (ICO) published a Good Practice Note in the form of a staff training checklist for small and medium-sized enterprises. The note outlines some of the key practical implications of the Data Protection Act 1988, and is intended to be used as a basic training framework for general office staff in such organisations. It addresses, among other things, ways of keeping personal information secure, and how to handle requests from individuals for their personal information. The note also emphasises that staff who have duties relating to marketing, computer security and database management may need additional training.
? Review the procedures regularly to ensure that the compliance issues have been resolved.
This article is for general purposes and guidance only and do not constitute legal or professional advice. Copyright 2010 ? Anassutzi & Co Limited. All rights reserved. Information may be shared or reproduced only if accompanied by the author's name and bio.
Dr Maria Anassutzi Intellectual Property Expert has founded Anassutzi & Co limited Anassutzi & Co limited which offers high quality specialist intellectual property, information technology and commercial contracts advice tailored to each of our clients business.
Maria is a seasoned multi-jurisdictional lawyer with vast experience in general corporate commercial law, specialising in intellectual property, information technology, e-commerce and outsourcing and having extensive in-house legal experience and having worked in City law firms and multinational companies.
沒有留言:
張貼留言