slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Data Protection Auditing A UK Perspective PowerPoint Presentation
Download Presentation
Data Protection Auditing A UK Perspective

Loading in 2 Seconds...

play fullscreen
1 / 8

Data Protection Auditing A UK Perspective - PowerPoint PPT Presentation


  • 165 Views
  • Uploaded on

Data Protection Auditing A UK Perspective. Chris Turner Head of Audit & Remedies Information Commissioner’s Office. Background. 1998 Data Protection Act – Provides a power to audit with consent of the data controller.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Data Protection Auditing A UK Perspective' - mervin


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
data protection auditing a uk perspective

Data Protection Auditing A UK Perspective

Chris Turner

Head of Audit & Remedies

Information Commissioner’s Office

29e Confrence internationale des commissaires à la protection de la vie prive

background
Background
  • 1998 Data Protection Act – Provides a power to audit with consent of the data controller.
  • Mid 2001 Completion of Audit Manual and promotion via our website – A major milestone for the Office.
  • Late 2003 new initiative launched to undertake programme of trial audits and consider audit accreditation schemes.
  • Audits conducted by compliance team members.
  • May 2005 permanent Audit Team created as part of a new Regulatory Action Division.
  • 2007 looking to expand team and increase powers.

29e Confrence internationale des commissaires à la protection de la vie prive

audit programme
Audit Programme
  • Programme based on:
    • Volunteers
    • Theme
    • Identified Non Compliance / Issues
  • Engagement
    • Invitation / Request
    • Assessment / Remedies
    • Undertaking
  • Make Up
    • Predominantly public authorities, private companies more likely to be as a result of undertakings.

29e Confrence internationale des commissaires à la protection de la vie prive

audit methodology
Audit Methodology
  • Based broadly on the Audit Manual
  • 2/3 man team, compliance background experience
  • Development of key relationships to facilitate co-operation and establish mutual benefits
  • Scoping and planning (background information)
  • Adequacy Audit
    • Policies, Procedures, Guidelines, Training Material
    • Checklist Evaluation
  • Compliance Audit
    • Data Protection System
    • Business (Functional) Processes
    • Computer applications / operations

29e Confrence internationale des commissaires à la protection de la vie prive

audit output
Audit Output

ICO Methodology

  • Adequacy Audit
    • Summary Report
    • Observations Report (Working document)
  • Compliance Audit
    • On-site Feedback (key findings)
    • Compliance Report (Observations / Evaluation / Recommendations)
  • Follow up

29e Confrence internationale des commissaires à la protection de la vie prive

challenges
Challenges
  • No audit without consent
  • Team Experience (Audit / Technical)
  • Questionnaire approach – getting the questions right.
  • Availability of adequate background information e.g. process / job descriptions
  • Getting the timetable right!
  • ‘Deep and Narrow’ v ‘Wide and Shallow’
  • Reports & Recommendations
  • Balancing the workload – Small team considerations

29e Confrence internationale des commissaires à la protection de la vie prive

benefits
Benefits

ICO

  • Opportunity to identify / address systemic issues.
  • Provides an alternative to enforcement.
  • Increased ICO understanding of processing.
  • Identifies the need for guidance.
  • Raise the profile of data protection.

Organisations

  • Raise data protection awareness at an individual and corporate level.
  • Provides a perspective of the regulator’s view
  • Is a catalyst for change.
  • Provides an alternative to enforcement.

29e Confrence internationale des commissaires à la protection de la vie prive