2 minute read
Audit by a data protection authority How does it work?
It has been more than two years since Data Protection Authorities of EU Member States (DPAs) started to perform data protection audits. As part of their general task of monitoring compliance with the principles laid down by the General Data Protection Regulation (GDPR), each competent DPA may carry out inspections and impose sanctions. Whether you are a data controller or processor, you may therefore be subject to an audit at any time. This is why all organisations need to be ready now.
How does an audit work?
A DPA audit may occur generally as a result of a complaint or request from a data subject, following a breach notification, or if the competent authority finds or suspects a noncompliance with the GDPR.
In practice, there are two types of audits: survey inspection (the audit is carried out on the basis of documents, at a hearing or online) or field inspection (the audit is carried out on site on the basis of information with physical inspection at the controller’s facilities). Consequently, an audit does not necessarily imply a visit of the DPA’s agents to the company premises.
The scope of the DPA’s audit is particularly wide. Xavier GOBERT, CEO of MyDataTRUST, says: ”DPA’s agents can come at any time and without even giving you prior notice of their arrival. It is therefore essential to have your GDPR file ready to be made available to them at their first request. In the context of an audit by the CNIL, the French DPA, particular attention was paid to the DPO, his skills and qualifications, as well as his effective role within the company. The CNIL then checked all contracts with customers and service providers, procedures, records of data processing activities, security measures and training records. They even interviewed staff members on the concrete implementation of GDPR procedures.” In this context of onsite visits, DPAs have a number of means to control data controllers and processors. In particular, they are authorised to consult and request copies of documents, to interview staff members, and to examine and print electronic documents. They can also carry out checks on tools, data supports or information systems used for data processing, and they can also request written or oral clarifications. After DPAs have assessed the extent to which you comply with the relevant data protection requirements, they will provide you a risk-focused report with recommendations. “We received a report three weeks after the CNIL audit and a report of the visit three months later”, highlighted Xavier GOBERT. Following the German DPA, the main objective of an audit is not to issue fines but to determine where organisations still have compliance gaps and requirements. However, if the DPA audit is conducted subsequently to a violation, the DPA can impose a fine up to €20 million or up to 4% of the total annual worldwide turnover, taking into account the severity, the nature and the duration of the violation. It will also consider if the violation has been caused by intention or negligence. In addition to the financial risk, such an audit can affect your reputation and your brand image. The continuity of your business may even be jeopardised. In conclusion, what should you keep in mind? Don’t wait any longer – get ready today for a potential DPA audit! MyData-TRUST can help you.
