Frustrated man

Being prepared for a data protection audit

Top 3 data protection program issues and how to start resolving them: #22

Data protection professionals often fear audits.

So do top management.

If you fully understand ‘accountability’ and can demonstrate it, you should have nothing to fear.

Audits are opportunities to detect weaknesses, identify things that are amiss, or get confirmation you are in control of your processing

It could be your internal audit team.

It could be a client.

It could be a Supervisory Authority.

It could be planned or unplanned.

Here are 3 common issues.


#1 Not understanding accountability

In our 9th post, I outlined the need to prove accountability through evidence.

GDPR is loaded with opportunities to demonstrate you understand what this word means.

Rather than repeat the post, refresh your memory.


#2 People are unprepared

An ‘Inspection Manual’ is an essential part of any data protection programme.

The audience for this document is quite small, so it’s one of the easier programme deliverables to implement.

It’s about recognising *who* will be involved when, say, a Supervisory Authority pays you a visit.

It’s about having a designated ‘Inspection Lead,’ and training your reception staff how to act. (among other things).

It’s about knowing the rights of an SA, what to say, and what not to say.

Without a manual there's a risk people will act like headless chickens.

Do you have one?


#3 Incoherent story

If you’ve taken a risk-based approach, you need to provide justification for the decisions you have taken.

For example, the rationale for accepting a risk.

The decision may have, in hindsight, been the wrong decision, but if you can explain the decision *through evidence*, it will only help your cause if it resulted in a privacy violation.

For example, a time-stamped entry in your risk register, rather than having to think for an answer.

Let the evidence do the talking.

You are on the back-foot the minute you tell an incoherent story from memory, especially if there are discrepancies.


Purpose and Means help Data Protection Leaders refresh their work focusing on business alignment and orchestration.

We’re based in Denmark, but operate globally.

If this issue resonates, book a call to discuss your requirements!

Petruta Pirvan
Tim Clements
March 26, 2023

Blog

Other posts

June 2, 2023
Disseminating policies
Tim Clements
May 27, 2023
Ineffective controls
Tim Clements
May 26, 2023
DPIA on a page
Tim Clements
May 25, 2023
GDPR on a page
Tim Clements
May 24, 2023
Explaining Data Controller/Data Processor obligations
Tim Clements
May 23, 2023
5 years on - are these perspectives still relevant?
Tim Clements
May 22, 2023
GDPR 5 years old - is it really?
Tim Clements
May 11, 2023
The US privacy landscape: complex and in a state of flux
Tim Clements
May 9, 2023
Employee engagement
Tim Clements
May 4, 2023
Unsure of which IAPP course fits your needs?
Tim Clements
May 2, 2023
Managing risk
Tim Clements
April 27, 2023
Interactions and inter-dependencies with others
Tim Clements
April 13, 2023
Copy/paste consultancies
Tim Clements
April 6, 2023
Controller/Processor life-cycle
Tim Clements
March 30, 2023
Responding to an audit
Tim Clements
March 26, 2023
Being prepared for a data protection audit
Tim Clements
March 23, 2023
Data protection templates
Tim Clements
March 11, 2023
Data protection program control
Tim Clements
March 6, 2023
Reporting data protection status
Tim Clements
March 2, 2023
The lone data protection army
Tim Clements