A good starting point to be a compliance auditor is to consider yourself to be the person who “checks the checkers”. This means that the role is less about carrying out first line checks but more about checking that compliance frameworks are effective and checking the quality of checks carried out by the business.
UK GDPR states that it is the responsibility of the organisation to comply with GDPR (the principle of Accountability); therefore, operational and business areas need their own controls to ensure compliance and the Data Protection Officer (“DPO”) role is to check that those controls are adequate in practice. This might involve sampling checks carried out by other colleagues or repeating them to test their usefulness. Even then, it may be possible to delegate this task to a line manager or someone who supports the DPO role such as a “Data Champion”, “Data Protection Practitioner”, “Local Data Protection Adviser” for example.
To be able to conduct a compliance audit it is important that the auditor has independence from the work they are checking. However, it is the case that, having been trained and being familiar with the workings of the organisation, the DPO will be the person most skilled in carrying out audit tasks and drafting compliant materials for use by the business. However, if you draft a Privacy Notice or training material, how can you carry out an audit review of the material? Your independence is compromised because of the major part you played in carrying out the task yourself.
This is a key reason for “checking the checkers”. The adequacy of audit checks, the compliance of materials is expressly reserved for the controller organisation to ensure that the DPO remains independent.
It is difficult to manage the twin responsibilities of guiding the organisation and maintaining independence so as to be able to check its compliance properly. The DPO role is to support line managers and colleagues in compliance activity but you need to draw the line at completing tasks on their behalf.
Our top tips to manage the expectations of the business are:
- Point out the difficulties of maintaining independence in your role
- Offer one to one or workshop coaching for drafting materials such as policies and procedures and privacy notices
- Provide guidance notes and signpost ICO guidance on relevant topics
- Offer to review materials drafted
- If all else fails: get the line manager to agree to fund an independent review or audit of the work you are forced to undertake.
It goes without saying that a designated Data Protection Officer should flag any undue pressure in carrying out their role properly and to escalate it as necessary to ensure that the role continues to be undertaken in accordance with the UK GDPR and that the business is able to manage the compliance risk if boundaries are not being observed.
Mandy P Webster, Data Protection Consultant