The Information Commissioner’s Office carries out audits of data protection compliance at controller organisations and its reports are made public on the ICO website. In a recent audit report a key finding under “Governance and Accountability” read: “There is a limited level of assurance that processes and procedures are in place and are delivering data protection compliance. The audit has identified considerable scope for improvement in existing arrangements to reduce the risk of noncompliance with data protection legislation. ”
Further details were provided as to the shortcomings of the controller.
The processes demonstrated by the controller lacked evidence of a compliance framework so that the ICO concluded that there were insufficient controls in place to prevent systemic data protection failures. Some of the detailed findings actually amounted to systemic failures, for example the controller did not have records of processing across all of its business areas to meet the requirement of Article 30 of GDPR. This is not only a clear breach of GDPR but the lack of Article 30 records significantly impairs the controller’s ability to create and publish clear and comprehensive privacy notices.
The provision of privacy notices before any personal data is obtained or collected is a requirement of Articles 13 – 15 of GDPR, although the requirement predates GDPR. Under the 1995 Data Protection Directive the content of a privacy notice was specified as:
- Identity of data controller
- Purposes of the processing
- Any other information relevant in the circumstances.
Under GDPR there are seventeen different heads of information to be supplied in a privacy notice, hence the need for a detailed record of processing to be able to accurately provide this information in relation to all processing purposes.
A further level of complexity attaches to privacy notices, they must be appropriate to the understanding of the data subject, as the new Children’s Code demonstrates. The findings in this audit highlighted the controller’s failure to provide privacy notices in other languages and formats to “meet the needs of all sections of society”.
A clear and comprehensive record of processing is the basis of data protection compliance to meet the Accountability standard. However this record can only be created out of a thorough audit of all data processing activities to identify:
- the purpose of the processing
- the details of who the data subjects are
- what personal data is held
- how long it is held
- whether it is shared with other controllers
- whether third party processors are involved in the processing and
- the location of the data.
So a compliance programme must start with an audit of data processing activity and creation of Article 30 records. This then informs future compliance activity, for example the audit should enable the controller to assess the level of risk is its data processing activities to prioritise compliance focus. It should identify third party data processors so that compliance checks can be carried out to confirm that appropriate written contracts are in place and that due diligence checks have been carried out.
Other key aspects of a compliance framework include having appropriate and effective policies and procedures. There is a baseline list of issues to cover as an organisation such as personal data breach notification procedure, data retention policy and retention schedule, information security policy and procedure and working from home procedures. Other policies and procedures will depend on the operational activities of the controller. Policies and procedures provide guidance for staff whose job role involves handling personal data and the requirements of a call centre will differ from those of the finance team for example.
Providing guidance for staff is only part of what is required to embed a good data protection culture and demonstrate Accountability. Staff should be trained in the basics of data protection with specialist training for key job roles such as those responsible for records management, information security and managers who make data sharing and outsourcing decisions.
Meeting the Accountability standard certainly lends itself to a process, a systemic approach. At Data Protection Consulting we have adopted a compliance process which is still sufficiently flexible to meet the needs of clients from a range of operations. If your organisation needs help with data protection compliance, don’t wait for the ICO audit to highlight what needs to be done. Work with us to follow a clear road to compliance developing a data protection compliance framework that evidences GDPR Accountability for data protection.
Mandy P Webster, Data Protection Consulting