It has been more than two years that Data Protection Authorities of EU Member States (‘DPAs’) started to perform data protection audits. As part of their general task of monitoring compliance with the principles laid down by the General Data Protection Regulation (“GDPR”), each competent DPA may carry out inspections and impose sanctions. Whether you are data controller or processor, you may therefore be subject to an audit at any time. That is why all organizations need to be ready now.
A DPA audit may occur generally as a result of a complaint or request from a data subject, following a breach notification or if the competent authority finds or suspects a non-compliance with the GDPR. In practice, there are two types of audits: survey inspection (the audit is carried out on the basis of documents, at a hearing or online) or field inspection (the audit is carried out on site on the basis of information with physical inspection at the controller’s facilities). Consequently, an audit does not necessarily imply a visit of the DPA’s agents to the company's premises.
The scope of the DPA’s audit is particularly wide. « DPA’s agents can come at any time and without even giving you prior notice of their arrival. It is therefore essential to have your GDPR file ready to be made available to them at their first request. In the context of an audit by the CNIL, the French DPA, particular attention was paid to the DPO, his skills and qualifications as well as his effective role within the company. The CNIL then checked all contracts with customers and service providers, procedures, records of data processing activities, security measures and training records. They even interviewed staff members on the concrete implementation of the GDPR procedures », said Xavier GOBERT, CEO of MyData-TRUST.
In this context, onsite visits, DPAs have a number of means to control data controllers and processors. In particular, DPAs are authorized to consult and request copies of documents, to interview staff members and to examine and print electronic documents. They can also carry out checks on tools, data supports or information systems used for data processing, they can also request written or oral clarifications.
After DPAs have assessed the extent to which you comply with the relevant data protection requirements, DPAs will provide you a risk-focused report with recommendations. « We received a report 3 weeks after the CNIL audit and a report of the visit 3 months later », highlighted Xavier GOBERT. Following the German DPA, the main objective of an audit is not to issue fines but to determine where organizations still have compliance gaps and raise awareness of GDPR requirements.
However, if the DPA audit is conducted subsequently to a violation, the DPA can impose a fine up to €20 million or up to 4% of the total annual worldwide turnover taking into account the severity, the nature and the duration of the violation. It will also consider if the violation has been caused by intention or negligence. In addition to the financial risk, such an audit can affect your reputation and your brand image. The continuity of your business may even be jeopardized.
What are the key steps to follow in order to be prepared?
Step 1: Assess your GDPR Compliance
First of all, you must undertake a first assessment of your compliance with the GDPR requirements via a GAP analysis. Especially, a number of actions must have been taken and if they have not been established it is important to get up to date. On this basis, you should at minima:
1- Appoint a DPO/DPR if needed: recently, the Swedish DPA performed an audit of over 350 organizations on whether they had yet to appoint a DPO. The audit included, amongst others, medical care providers. Actually, only appointing a DPO is not sufficient. You need to demonstrate the qualification of your DPO (job description, CV and certifications) and ensure that the DPO plays an effective role within the company in complete independence from executive management
instructions. Hence good communication between the DPO and the management is required; DPO’s advice and decisions of the executive management must be documented.
2- Keep up-to-date records of data processing: in addition to fulfilling the obligation set out in Article 30 of the GDPR, the record is a tool for monitoring and demonstrating your compliance with the Regulation. Regulation It must allow you to identify the personal data processing activities that you carry out, from collection to destruction.
3- Implement « Privacy by Design » Principle: i.e., you must have all the necessary documentation that demonstrates the compliance of your activities (e.g., Data Protection Policy, Data Breach Procedure, Breach Data Retention Procedure, IT Policy, Data Subject Rights & Requests Procedure, Cookies policy, …) and you must train your members staff to all these procedures on a regular basis.
4- Inform Data Subjects about the processing of their personal data: personal data must be processed lawfully, fairly and in a transparent manner in relation to the Data Subjects. Therefore, you must define how you handle individual’s requests for copies of their personal data and how you manage routine and one-off disclosures to other organizations. Likewise pay attention to your information on your website; DPAs will not hesitate to consult it to verify that you clearly inform the Data Subjects.
5- Implement security measures: you must be able to demonstrate how personal data is stored and kept secure. What technical and organizational measures are in place? Are these measures adequate to ensure the rights and freedoms of Data Subjects? adequate to ensure the rights and freedoms of Data Subjects?
6- Train on regular basis members staff and keep the training records available.
7- Frame relationship with services providers with a data processing agreement and data sharing agreements: assess your vendors and services providers and ensure documented instructions are in place.
Step 2: Set-up your GDPR file
Second, it will be necessary to prepare your GDPR file which will contain all your GDPR documentation. According to the principle of accountability, you must be able to demonstrate the compliance of processing activities with the GDPR, including the effectiveness of the measures adopted. This requires to be proactive and preserve evidence including compliance and regular mentoring of data processing. It is a decisive factor in limiting liability and risk.
Step 3: Draw up a DPA Audit Procedure
Third, beside your GDPR file, we recommend having an internal procedure that defines how to react in the event of a DPA audit. This would first of all define who will be available to receive and/or respond to the DPA's requests, what premises will be available to receive them and what IT resources are available. It is also essential that the DPO (or backup) be informed immediately. We suggest that you create a Response Team that would include the main people in charge of managing this audit, for example the DPO, the lawyer, the IT director and the head of departments (HR, marketing, etc.), depending on the subject of the audit. Knowing exactly how to react,
who to notify, what documents to submit and what to do after a DPA audit is essential.
Furthermore, it is also important that staff members are made aware of and trained in this audit procedure. They need to know what an audit consists of and the possible consequences. If employees are prepared, they will be better able to answer DPA's questions and easily identify the documents and information requested.
IN CONCLUSION, Don't wait any longer, get ready today for a potential DPA audit!
Authors: XAVIER GOBERT (CEO MyData-TRUST) & EMERAUDE CAMBERLIN (Data Protection Manager at MyData-TRUST)