for more information visit surviving an office of the data protection commissioner (odpc) audit...

For more information visit www.espiongroup.com

Surviving an Office of the Data Protection Commissioner (ODPC) Audit Alexander Hotel

March 18th 2015

@IsacaIreland ISACA Ireland Chapter [email protected]


Surviving an Office of the Data Protection Commissioner (ODPC) Audit

Gavin D’Alton

Consultancy Team Lead

Espion


Agenda

1. Speaker Introduction

2. Data Protection Acts 1988 and 2003

3. Implementing a Data Protection Framework

4. What to do if your organisation is subject to audit by the ODPC

5. Notification of Intent to Audit

6. Preparation

7. How the Audit Process Works

8. The Day of the Audit

9. The Audit Report

10. The New Law (time permitting)

11. What can/ should businesses do now?


About me

ie.linkedin.com/pub/dir/Gavin/D'Alton


Introduction

• Going into a new organisation and setting up a new function can be quite daunting.

• However, armed with the right tools and knowledge it is very possible to establish a smooth-running function which will enhance DP awareness across the organisation.

• And help things run smoothly in the event a certain letter arrives…

(Hopefully, a practical approach)


Data Protection Acts 1988 & 2003

• Data Protection is about the management of the processing of personal data and the creation of a framework for the lawful processing and protection of personal data.

• The Irish Data Protection Acts 1988 and 2003 give effect to the European Data Protection Directive 95/46/EC.

• The legislation provides a balance between individual rights and organisational necessity by providing a framework within which to process data fairly and lawfully.


Data Protection Acts 1988 & 2003

The 8 requirements:

1) Obtain and process the information fairly.

2) Keep it only for one or more specified and lawful purposes.

3) Process it only in ways compatible with the purposes for which

it was given to you initially.

4) Keep it safe and secure.

5) Keep it accurate and up-to-date.

6) Ensure that it is adequate, relevant and not excessive.

7) Retain it no longer than is necessary for the specified purpose

or purposes.

8) Give a copy of his/her personal data to any individual, on

request.


Steps to implementing a Data Protection Framework

i. Get buy-inii. Define Rolesiii. Polices and Procedures iv. Trainingv. Personal Data Inventory vi. Managing Data Processorsvii. DP Self-Auditviii. Action Plan and Remedial Work

i. Get buy-inii. Define Rolesiii. Polices and Procedures iv. Trainingv. Personal Data Inventory vi. Managing Data Processorsvii. DP Self-Auditviii. Action Plan and Remedial Work


Implementing a Data Protection Framework

1) Get buy-in: • Arrange a meeting with senior management.• Deliver a presentation around the DP responsibilities of

the organisation and areas which will be in scope for a DP framework.

• These will be:

i. Policies and Procedures

ii. Training

iii. Personal Data Inventory

iv. Managing Data Processors

v. DP Self-Audit.



1) Get buy-in: Easier said than done!



2) Define Roles:• Who has overall responsibility for the project ?• Who is on the project team and what will their

individual roles be?• Set up a DP Committee which will meet regularly to

discuss the progress of the plan?



3) Policies and Procedures:• If policies and procedures do not exist, you may need to

create these from scratch.• Your organisation may already have policies and

procedures in place, if so these will need to be reviewed in line with current DP regulation to ensure that they are fit for purpose.



3) Policies and Procedures:• Why? And What needs to be included?

Look at the 8 rules of DP and assess

each one against the activities of your

organisation. Policies set the course of DP in the

organisation for the foreseeable future. Polices clearly define the organisation’s

DP responsibilities and what is needed

to implement them.• Third Party Processors!

Source: http://www.dataprotection.ie/docimages/documents/GuidetoAuditProcessAug2014.pdf



4) Training:• All staff who handle personal data in an organisation

must receive data protection training appropriate to their level of responsibilities.

• Staff processing sensitive personal data will require tailored training.

• Staff should receive training at induction stage and before accessing personal data and should also receive annual refresher training.

• Maintain a Training Log. • Third Party Processors!



5) Personal Data Inventory:• Create an architecture map of systems within the

organisation which hold personal data • Map out personal customer data on a Register, e.g.

Customer Data Details Data Volumes Name of the system in which it is held Business/ Technical Owner Purpose for processing the Data Details of 3rd parties to whom the data may be transferred (include

security measures such as encryption How long is data retained for

• Repeat process annually as part of an internal data protection audit process



6) Managing Data Processors:• Must be a written contract in place!• The contract must contain a DP clause setting out the Data Controllers instructions around processing, retention and destruction.

• The contract must have a start and end date

• The contract must give the Data Controller the ‘Right to Audit’

• The controller must set out technical security measures to be applied to the data, i.e. that the processor must obtain ISO 27001 etc.

Interesting case study: https://dataprotection.ie/docs/CASE-STUDIES-2013/1441.htm#CS14



7) Data protection self audit:• The ODPC publish their “Guide to Audit Process” on

their website which includes sample audit questions and a self-help checklist

http://www.dataprotection.ie/docimages/documents/GuidetoAuditProcessAug2014.pdf

• The sample questions are based on the 8 rules of DP• Extremely useful in measuring your organisations

compliance levels and any gaps that may exist • Top tip:

– Have staff from different departments complete the sample questions – Then hold group workshops in order to analyse the answers – Gain a deeper understanding of the state of DP compliance in the

organisation!



8) Action Plan and Remedial Work • Usually at this stage it is a good idea to produce a high-

level findings report• The findings should be risk-rated with an action plan to

remediate the findings• The report should be discussed with Senior Management

and a prioritised plan should be put in place • It may be a good idea to put in place an ‘Information

Governance Council’ comprised of an Information Working Group, Information Leads, Data Business Owners and Data Stewards


So your organisation receives THAT letter…

i. Legal basis for auditii. Selection of audit targetsiii. Types of auditsiv. In practice: What is an ODPC audit?v. Notification of intent


ODPC audits

1) Legal Basis for Audit:• Section 10(1A) of the Data Protection Acts 1988 & 2003

states that:– (1A) The Commissioner may carry out or cause to be

carried out such investigations as he or she considers appropriate in order to ensure compliance with the provisions of this Act and the Electronic Communications Networks and Services Regulations of 2003 and to identify any contravention thereof

• Section 24(2) delegates specific powers and rights of access to authorised officers of the Data Protection Commissioner.


ODPC audits

2) Selection of ODPC targets.• An audit target list is maintained.• The intention of the ODPC is to audit a broad mix

between the public, private and voluntary sector representative of all entities holding personal data.

• Entities are selected for a wide range of reasons: Complaints An acknowledged holder

of substantial repositories of personal data.

A multi-national organisation who has established its European headquarters in Ireland.

Research involving human data subjects

Media reports featuring specific allegations

A policy area which requires further clarification, may lead to an organisation being selected for audit

Products which rely upon a large amount of personal data Etc.


ODPC audits

3) Types of ODPC audits• 2 types of audits:

– Scheduled audits– “On the spot” audits


ODPC audits

4) In practice: What is an ODPC audit?• Audits of the kind carried out by the Office of the Data

Protection Commissioner in Ireland are compliance based.• A compliance audit typically examines an organisation’s

procedures, policies, systems and records • Objective:

– To assess whether the organisation is generally in compliance with data protection legislation requirements.

– An audit will also include an assessment of the organisation’s level of awareness regarding data protection requirements based on existing policies and practices within that organisation.

Source: http://www.dataprotection.ie/docimages/documents/GuidetoAuditProcessAug2014.pdf


ODPC audits

5) Notification of intent to audit.• The ODPC will give approximately one months notice of the

audit with an “Intention to Audit” letter • This letter may explain briefly why the organisation is going

to be audited such as:– Part of a schedule of audits into the activities of a particular industry.– Your organisation has had a number of personal data breaches which

have been reported to the ODPC.

• Details what areas the inspection will focus on. – Any area within an organisation where personal data is held and

processed and those areas will be audited in line with the 8 rules of data protection

• It may also detail more specific areas which the audit will focus on, e.g. marketing, customer database etc.


ODPC audits

Notification of intent to audit (continued…)• The letter will also ask that relevant managers and staff

be available for the duration of the audit• It is vital to notify staff in advance to drop everything for

the proposed dates.• The letter will likely also ask for a number of documents

to be sent to the ODPC in advance of the audit such as data protection polices, codes of practice, website privacy statement, data protection training materials

• The letter will also state that a draft report will be issued following the audit – the organisation will have the opportunity to comment on the

report prior to receiving the final audit report


Surviving the audit…

i. Preparationii. How the audit process worksiii. The day of the auditiv. Outputs: The audit report


Surviving the audit

1) Preparation:• Letter has been received = an organisation has a clear

instruction as to what areas will be audited.• Identify relevant managers and staff and to arrange

workshops/ meetings in advance of the audit so that they are clear about DP responsibilities.

• Ensure managers are fully aware of the DP activities within these Third Party Processors

• Ensure Third Party Processors are complying with their contractual DP obligations

• Review any previous DP breaches to ensure that these actions have been implemented


Surviving the audit

Preparation (continued…):• Review training materials and training statistics for the

organisation and any third parties.• Review your third party requests log. • Review your Subject Access Requests (SAR’s) log.• Gather and review all of the documentation requested by

the ODPC in their letter of intent.


Surviving the audit

More Preparation:• Review case studies in ODPC annual reports.• Review audit reports of similar organisations.• Ensure that you obtain consent for cookies on your

website.


Surviving the audit

Even more preparation:• It is a good idea also to map out key business processes

and to also map out your organisations main data systems

• If possible, also have in place an Information Register. – This will detail the names of systems which holds

personal data, how the data is classified, list data contained therein and the data owner.

• Other useful registers:– Data Retention Register – Third Party Transfer Register


Surviving the audit

2) How the Audit Process Works:• The audit may last a matter of one day, a few days,

weeks or even months • The authorised officers will likely ask for access to key

systems or they will request that a member of staff conduct a walkthrough of key customer databases

• They will indicate a rough timetable of events for the day and which staff they will want to interview

• It is useful to start off the audit with a brief presentation giving a high-level overview of the organisation and data.

• Top tip: Use your charts and registers from the prep. Phase!


Surviving the audit

3) The Day of the Audit:• Questionnaire-based approach:

– focuses on the flow of personal data within and outside the organisation.

– questions typically structured around the 8 data protection principles.

• They will generally focus on areas of the organisation – which either hold a lot of personal data – or which have been the subject of a previous breach.

• They will go into further detail around what actions have been taken to mitigate against further breaches

• They will likely ask for further documents over the course of the day to be forwarded after the audit.

• The audit is a two-way process; Co-operation is vital.


Surviving the audit

4) The Audit Report• The draft report will be sent to the organisation within

about 8 weeks.• The organisation will have an opportunity to respond to

the draft report before a final report is published.– Objective: To have agreement between the ODPC and the

organisation on the contents of the final report,

• The ODPC will not publish the report but the organisation will be mentioned in their Annual Report – Organisations may chose to publish the report themselves.– Chance are, a member of the public will make an FOI request for

the report anyway.


Surviving the audit

5) The Audit Report – Typical contents.• An opinion: Is the audited organisation operating in accordance with

the Data Protection Acts (1988 & 2003).– Compliance based: Is the organisation is operating in accordance with

its own documented data protection or privacy-related policies, sectoral codes of practice, guidelines and procedures.

• A compliance audit will identify existing and potential gaps and weaknesses.– Identification of non-compliances.– Identification of any risks or possible contraventions of applicable

legislation.

• Remedial Actions to be taken. – Immediate remedial action may be prescribed by the Office of the Data

Protection – Improvements.


Surviving the audit

6) The Audit Report – Not all doom and gloom• Positive Findings!• An audit will identify strengths and areas where data

protection practices in an organisation are to be commended.


The new Data Protection Laws

i. Why the need for EU Data Protection Reform?ii. Why do individuals need more protection?iii. What does the Commission hope to achieveiv. Key changesv. Strengthening Individual Rights – Profiling:vi. Strengthening Individual Rights – Right to be

Forgotten


The New Data Protection Laws

1) “Radical overhaul”? Not really…• In January 2012, the European Commission outlined it’s

proposals for a radical overhaul of DP rules in the EU• The new law is expected to be enacted by a regulation

which will supersede the existing Data Protection directive (95/46/EC)

• The regulation was initially expected to be in force by 2015 but the legislative process takes time…

• The proposed changes do not represent a radical overhaul of DP law, rather an enhancement of the existing law, taking into account the fact that when the 1995 law came about, the internet was in its infancy



2) Why the need for EU Data Protection Reform?• Each country in the EU implemented the 1995 EU Data

Protection Directive differently, so there is a very strong appetite for united Regulation across the EU

• However…• In 1995 the Internet was a very different beast - Our

Digital DNA is now everywhere we go • And every country has interpreted things a bit

differently…



3) Why do individuals need more protection?• Loss of control vs what is required for everyday life.• 74% of European individuals think that disclosing

personal data is part of modern life.• BUT 72% of internet users feel that they give away too

much data.• 43% of internet users believe they have been asked for

more personal information than is necessary.• Cloud computing means that more data is stored on

remote servers instead of personal computers.• The right of individuals to retain effective control over their

personal data is fundamental and must be protected.



4) What does the Commission hope to achieve?• Reinforce individuals’ rights – privacy by design and by

default.• Strengthen the EU internal market through new, clear and

robust rules for the free movement of data – simplification of binding corporate rules.

• Ensure consistent enforcement of the rules.• Set global data protection standards.• Ensure a high level of DP across all industries.



5) Key changes:

1) A level playing field for business through one single law applicable to any business across the EU – – harmonisation expected to save businesses up to €2.3 billion per

year

2) One-Stop-Shop – companies in the EU will be answerable to a single DPA no

matter how many EU countries they do business in

3) Companies with over 250 employees must hire a Data Protection Officer – increase accountability of data controllers.

4) Individuals will have the right to refer all cases to their home country national data protection authority, even if the data is processed outside of their home country.



Key changes (continued):

5) Privacy by design.

6) Make the data transfer process from one service provider to another easier.

7) Strengthen the right to be forgotten – the onus will be on data controllers to prove that they need to keep the data, not on the data subject.

8) Ensure that consent is explicitly given rather than assumed.

9) Every individual will have the right not to be profiled.


What can / should businesses do now?

i. The 7 P’sii. A checklist



PREPARE



1) Flag changes to Management.

2) Appoint a Data Protection Officer.

3) If your business is outside the EU, plan to appoint a DP representative who is based in the EU.

4) Look at what data you process – create an Information Management Policy and data registers / flows.

5) Look at your organisations data breach procedures and have a clear plan of action should a data breach occur as you may have only 24 hours to notify.



6) Review contracts with data processors to ensure that the terms regarding Data Protection are strong enough.

7) Review your internal data protection polices

8) Introduce Privacy Impact Assessments to detect data protection risks at an early stage

9) Review all consents received for direct marketing to ensure that they fit within the new definition of consent

10)Review your training materials and organise tailored staff training, if necessary


Questions

?


@IsacaIreland ISACA Ireland Chapter [email protected]

for more information visit surviving an office of the data protection commissioner (odpc) audit...

Documents

protection of personal

data processors

irish data protection

data protection framework

information visit

personal data inventory

processing of personal

copy of hisher personal