surviving an odpc audit - ireland
TRANSCRIPT
![Page 1: Surviving an ODPC Audit - Ireland](https://reader038.vdocument.in/reader038/viewer/2022110315/55cea8c7bb61eb0e138b464e/html5/thumbnails/1.jpg)
Surviving a Data Protection Audit
David HickeyThornton Group – Insurance Loss Adjusters
28 January 2015
![Page 2: Surviving an ODPC Audit - Ireland](https://reader038.vdocument.in/reader038/viewer/2022110315/55cea8c7bb61eb0e138b464e/html5/thumbnails/2.jpg)
• Largest firm of Insurance Loss Adjusters in Ireland
• 170 staff in 8 locations
• Multiple group specialist companies– Property, Jewellery, Liability,
Marine, Business Interruption
• Settle insurance claims on behalf of major insurers
![Page 3: Surviving an ODPC Audit - Ireland](https://reader038.vdocument.in/reader038/viewer/2022110315/55cea8c7bb61eb0e138b464e/html5/thumbnails/3.jpg)
![Page 4: Surviving an ODPC Audit - Ireland](https://reader038.vdocument.in/reader038/viewer/2022110315/55cea8c7bb61eb0e138b464e/html5/thumbnails/4.jpg)
Compliance Agenda• Regulated by Central Bank
• Consumer Protection Code
• Complaints & Internal
Audit
• Information Security
• Data Protection
![Page 5: Surviving an ODPC Audit - Ireland](https://reader038.vdocument.in/reader038/viewer/2022110315/55cea8c7bb61eb0e138b464e/html5/thumbnails/5.jpg)
Data Protection• DP was traditionally part of H.R. function
• Increasing DP questions arising in Information
Security audits
• Engaged ISAS to carry out IS & DP readiness audit
– Aug 2014
• Outcome: 43 issues of concern varying in severity
• Decision to train and appoint DPO – Sept 2014
![Page 6: Surviving an ODPC Audit - Ireland](https://reader038.vdocument.in/reader038/viewer/2022110315/55cea8c7bb61eb0e138b464e/html5/thumbnails/6.jpg)
![Page 7: Surviving an ODPC Audit - Ireland](https://reader038.vdocument.in/reader038/viewer/2022110315/55cea8c7bb61eb0e138b464e/html5/thumbnails/7.jpg)
Sept 22nd - Notification of Audit
• Audit date: Fri 10th Oct 2014– Four week’s notice– 3 investigators full day– Interviews with key staff– Paper & systems audit– Possible “Walkabout”
• Documentation: Fri 3rd Oct– Three weeks to get ready
![Page 8: Surviving an ODPC Audit - Ireland](https://reader038.vdocument.in/reader038/viewer/2022110315/55cea8c7bb61eb0e138b464e/html5/thumbnails/8.jpg)
ODPC Powers” The Commissioner may carry out or cause to be
carried out such investigations as he or she
considers appropriate in order to ensure compliance
with the provisions of this Act and to identify any
contravention thereof “
![Page 9: Surviving an ODPC Audit - Ireland](https://reader038.vdocument.in/reader038/viewer/2022110315/55cea8c7bb61eb0e138b464e/html5/thumbnails/9.jpg)
Immediate Concerns ? • Compliance with Data Protection – unknown
• Issues from ISAS review – not yet addressed
• Staff awareness – uncertain
• Information flows – not documented
• Procedures – not documented
• Poor ODPC Audit could damage reputation or worse
![Page 10: Surviving an ODPC Audit - Ireland](https://reader038.vdocument.in/reader038/viewer/2022110315/55cea8c7bb61eb0e138b464e/html5/thumbnails/10.jpg)
![Page 11: Surviving an ODPC Audit - Ireland](https://reader038.vdocument.in/reader038/viewer/2022110315/55cea8c7bb61eb0e138b464e/html5/thumbnails/11.jpg)
We need a Plan !
![Page 12: Surviving an ODPC Audit - Ireland](https://reader038.vdocument.in/reader038/viewer/2022110315/55cea8c7bb61eb0e138b464e/html5/thumbnails/12.jpg)
TimelineWeek 4
PRE-2014
SOME POLICIES IN PLACE
NOT ALL PROCEDURES DOCUMENTED
STAFF AWARENESS
PATCHY
SEPT 2014
BOARD APPOINTS
D. P. O.
POLICIES
REVIEW EXISTING
WRITE NEW
BASED ON THE 8 RULES
FOLLOW THE INFORMATION
EMAILS TO STAFF
CALL WITH ODPC
NOTICE OF AUDIT
InternalDiscovery
Collection of DP-related documents
Contract review
Current state review
EMAIL TO ODPC
PROCEDURES
DOCUMENT EXISTING
CREATE NEW
REFLECT THE POLICIES
STAFF AWARENESS TRAINING
PACK TO ODPC
PEOPLE
INTERNAL CHECKS AND AUDITS
STAFF TRAINING PLAN
DP TRAINING FOR KEY STAFF
BRIEF AUDIT PARTICIPANS
AUDITBY ODPC
Week 3Week 2Week 1BEFORE
![Page 13: Surviving an ODPC Audit - Ireland](https://reader038.vdocument.in/reader038/viewer/2022110315/55cea8c7bb61eb0e138b464e/html5/thumbnails/13.jpg)
Starting PointCode of Practice on Data Protection
for the Insurance Sector(Approved by the Data Protection Commissioner under Section 13
(2) of the Data Protection Acts, 1988 and 2003)
![Page 14: Surviving an ODPC Audit - Ireland](https://reader038.vdocument.in/reader038/viewer/2022110315/55cea8c7bb61eb0e138b464e/html5/thumbnails/14.jpg)
Week 1: what are we likely to be asked ?
• Kinds of personal data ?
• Any sensitive data ?
• Approximate volumes ?
• Our policies and procedures ?
• What staff training is provided ?
• Have we experienced difficulties in
relation to Data Protection ?
• Contracts with 3rd party data
processors ?
• WHAT DID WE DO?
– INTERNAL REVIEW
– Public documentation
– ODPC website
– Consulted ADPO
– Consulted ICS SKILLS
– Consulted AMNCH
– Re-engaged ISAS
– Engaged MASON HAYES &
CURRAN
• INTRODUCTORY EMAIL TO ODPC
ODPC
Websit
e
![Page 15: Surviving an ODPC Audit - Ireland](https://reader038.vdocument.in/reader038/viewer/2022110315/55cea8c7bb61eb0e138b464e/html5/thumbnails/15.jpg)
Week 2: what do we need to prepare ?
• REVIEW– Registration with DPC
• POLICIES– Data Protection– Information Security– ePrivacy– HR and Hiring– Data retention and destruction– Subject access requests– Training
• WHAT DID WE DO?
– Updated DP Policy
– Collated existing policies
– Wrote missing policies
– Updated staff / awareness
– Scheduled formal training
– Updated the Board
• PHONE CALL WITH ODPC
![Page 16: Surviving an ODPC Audit - Ireland](https://reader038.vdocument.in/reader038/viewer/2022110315/55cea8c7bb61eb0e138b464e/html5/thumbnails/16.jpg)
113 documents
![Page 17: Surviving an ODPC Audit - Ireland](https://reader038.vdocument.in/reader038/viewer/2022110315/55cea8c7bb61eb0e138b464e/html5/thumbnails/17.jpg)
Week 3: Evidence ?• PROCEDURES
– Document all processes– Information handling– Movement of paper– Electronic file movement and
security
• LOGS– Breaches (real or potential)– Subject access request– User permission reviews– Training
• DOCUMENTATION PACK TO ODPC
![Page 18: Surviving an ODPC Audit - Ireland](https://reader038.vdocument.in/reader038/viewer/2022110315/55cea8c7bb61eb0e138b464e/html5/thumbnails/18.jpg)
Sent to ODPC
![Page 19: Surviving an ODPC Audit - Ireland](https://reader038.vdocument.in/reader038/viewer/2022110315/55cea8c7bb61eb0e138b464e/html5/thumbnails/19.jpg)
Week 4: Ready – Set – Go !
• POLICIES & CONTRACTS– Review for completeness
• PROCEDURES– Spot checks
• STAFF– Reinforce awareness– Brief potential interviewees
• DOCUMENTATION– Collate and Index everything
• AUDIT BY ODPC
![Page 20: Surviving an ODPC Audit - Ireland](https://reader038.vdocument.in/reader038/viewer/2022110315/55cea8c7bb61eb0e138b464e/html5/thumbnails/20.jpg)
![Page 21: Surviving an ODPC Audit - Ireland](https://reader038.vdocument.in/reader038/viewer/2022110315/55cea8c7bb61eb0e138b464e/html5/thumbnails/21.jpg)
![Page 22: Surviving an ODPC Audit - Ireland](https://reader038.vdocument.in/reader038/viewer/2022110315/55cea8c7bb61eb0e138b464e/html5/thumbnails/22.jpg)
Audit Day
• 10:00am – 4:30pm
• 3 x ODPC investigators
• Dedicated Meeting Room
• 6 x company interviewees
• 40+ documents for review
1. ODPC introduction2. Company CEO introduction3. Ops Director Business
overview4. Policy and Procedure
review5. Logs and other records6. Sample cases 7. Walkabout8. Preliminary feedback
![Page 23: Surviving an ODPC Audit - Ireland](https://reader038.vdocument.in/reader038/viewer/2022110315/55cea8c7bb61eb0e138b464e/html5/thumbnails/23.jpg)
Investigation• 3 Investigators
– Professional & Courteous
• Interested in Information/Data flow – Overview of our business was important
• Parallel review of 40+ documents– Little chance of missing anything
• Attention to detail– Lots of questions and note taking
• Review of Specific (not Sample) cases– Paper first, then electronic data relating to same cases
![Page 24: Surviving an ODPC Audit - Ireland](https://reader038.vdocument.in/reader038/viewer/2022110315/55cea8c7bb61eb0e138b464e/html5/thumbnails/24.jpg)
Walkabout
![Page 25: Surviving an ODPC Audit - Ireland](https://reader038.vdocument.in/reader038/viewer/2022110315/55cea8c7bb61eb0e138b464e/html5/thumbnails/25.jpg)
Walkabout
![Page 26: Surviving an ODPC Audit - Ireland](https://reader038.vdocument.in/reader038/viewer/2022110315/55cea8c7bb61eb0e138b464e/html5/thumbnails/26.jpg)
Audit ResultSUMMARY
“ Excellent co-operation was received throughout the inspection. The Inspection Team considered that there was excellent organisational awareness of data protection principles generally “
RECOMMENDATION
“ It is recommended that any [Data Subject] access request received …… is passed to the relevant client in the first instance and …. redacts any third party personal data when providing documentation.”
December 2014
![Page 27: Surviving an ODPC Audit - Ireland](https://reader038.vdocument.in/reader038/viewer/2022110315/55cea8c7bb61eb0e138b464e/html5/thumbnails/27.jpg)
Lessons Learned• A Data Protection Audit gets the Board’s attention !
• Be positive – use the opportunity to streamline bad practices
• It’s time consuming ! Get internal and external help
• Co-operate - provide documentation in advance to ODPC
• Be able to evidence that policies and procedures are in use
• Raise staff awareness
• Prepare an overview of the business and information flow
• Most important lesson: ENGAGE with ODPC !