Audit by a Data Protection Authority: How to be prepared?
June 22, 2021
It has been more than two years that Data Protection Authorities of EU Member States (‘DPAs’) started to perform data protection audits. As part of their general task of monitoring compliance with the principles laid down by the General Data Protection Regulation (“GDPR”), each competent DPA may carry out inspections and impose sanctions. Whether you are data controller or processor, you may therefore be subject to an audit at any time. That is why all organizations need to be ready now.
How does an audit works?
A DPA audit may occur generally as a result of a complaint or request from a data subject, following a breach notification or if the competent authority finds or suspects a non-compliance with the GDPR.
In practice, there are two types of audits: survey inspection (the audit is carried out on the basis of documents, at a hearing or online) or field inspection (the audit is carried out on site on the basis of information with physical inspection at the controller’s facilities). Consequently, an audit does not necessarily imply a visit of the DPA’s agents to the company’s premises.
The scope of the DPA’s audit is particularly wide. « DPA’s agents can come at any time and without even giving you prior notice of their arrival. It is therefore essential to have your GDPR file ready to be made available to them at their first request. In the context of an audit by the CNIL, the French DPA, particular attention was paid to the DPO, his skills and qualifications as well as his effective role within the company. The CNIL then checked all contracts with customers and service providers, procedures, records of data processing activities, security measures and training records. They even interviewed staff members on the concrete implementation of the GDPR procedures », said Xavier GOBERT, CEO of MyData-TRUST.
In this context, onsite visits, DPAs have a number of means to control data controllers and processors. In particular, DPAs are authorized to consult and request copies of documents, to interview staff members and to examine and print electronic documents. They can also carry out checks on tools, data supports or information systems used for data processing, they can also request written or oral clarifications.
After DPAs have assessed the extent to which you comply with the relevant data protection requirements, DPAs will provide you a risk-focused report with recommendations. « We received a report 3 weeks after the CNIL audit and a report of the visit 3 months later », highlighted Xavier GOBERT.
Following the German DPA, the main objective of an audit is not to issue fines but to determine where organizations still have compliance gaps and raisie awareness of GDPR requirements.
However, if the DPA audit is conducted subsequently to a violation, the DPA can impose a fine up to €20 million or up to 4% of the total annual worldwide turnover taking into account the severity, the nature and the duration of the violation. It will also consider if the violation has been caused by intention or negligence. In addition to the financial risk, such an audit can affect your reputation and your brand image. The continuity of your business may even be jeopardized.
What are the key steps to follow in order to be prepared?
Step 1: Assess your GDPR Compliance
First of all, you must undertake a first assessment of your compliance with the GDPR requirements via a GAP analysis. Especially, a number of actions must have been taken and if they have not been established it is important to get up to date. On this basis, you should at minima:
- Appoint a DPO/DPR if needed
- Keep up-to-date records of data processing
- Implement « Privacy by Design » Principle
- Inform Data Subjects about the processing of their personal data
- Implement security measures
- Train on regular basis members staff and keep the training records available
- Frame relationship with services providers with a data processing agreement and data sharing agreements
Step 2: Set-up your GDPR file
To know more, click on the button to access to the full Article:
We can help you
Our team is available to help you to identify what needs to be implemented and set the priorities.
If you have any questions regarding the SCCs, the scope, the Data Protection Officer or Representative, the Competent Supervisory Authority or about Data Transfers, please contact us. MyData-Trust team will put all their efforts to support and sustain your activities involving personal data.