Data protection audit seems like an inevitable step when you are not convinced your treatment of customer data complies with the law and best practices. But should you choose a one-off data protection audit or appoint a permanent outsourced Data Protection Officer?
The answer on whether having permanent Data Protection Officer support is better than conducting a data protection audit will depend on who you are, what you do and what is your major concern in relation to personal data and privacy.
One-off data protection audit or regular outsourced Data Protection Officer support?
A data protection audit would normally be a one-off event. It will entail a one-off check of your policies regarding data analytics, storage, transfers and exports. It will give you the answers whether all these things you are doing comply with the rules. A voluntary audit like this is not the same as audits that are performed by the Information Commissioner’s Office (ICO) as part of their programme and other EU Member States’ Data Protection Authorities, but it should provide you with comparable results.
If your personal data processing activities are important yet stable, a data protection audit might be just what you need: establishing the correct way of doing it. Since your personal data policies are expected to remain the same, the results of the audit would be future-proof, at least until any changes in legislation.
However, a one-off data protection audit would not be sufficient for businesses who regularly introduce changes in technology that pose challenges to privacy: customer Big Data analytics, the introduction of new Cloud-based solutions, or gathering data through Internet of Things (IoT). Such changes would call for regular privacy impact assessment and would best be handled by an in-house- or an outsourced Data Protection Officer.
Essential privacy check or external opinion?
A data protection audit may still be desirable even if you have an in-house- or an outsourced Data Protection Officer but want to get an external opinion or simply a second opinion.
This would not indicate a lack of trust for your existing Data Protection Officer. One should keep in mind privacy and data protection issues can be complex, and the answers often come in the form of an assessment of risks, rather than in the binary yes or no form.
Accordingly, an external auditor opinion can be welcome on complex matters that need to be resolved say in relation to the introduction of new data analytics techniques or processing technologies.
According to Article 35 (2) of the General Data Protection Regulation (GDPR), the data controller shall seek the advice of their Data Protection Officer, where designated, when carrying out a data protection impact assessment. However, this does not mean that an external auditor should not be involved in the exercise.
When you cannot avoid appointing a Data Protection Officer?
A one-off external data protection audit might not be sufficient for certain entities who will from 2018 require regular data privacy support of an in-house- or an outsourced Data Protection Officer.
According to GDPR, the data controller and the data processor shall designate a Data Protection Officer in any case where:
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the controller or the processor consist of processing on a large scale of special (sensitive) categories of data.