Skip navigation Spacer Spacer Spacer
Data Protection Logo Spacer Guide to Data Protection Auditing

Data Protection Homepage  Bullet  
Audit Guide Homepage  Bullet  
Download print version  Bullet  

What is a Data Protection Audit? Why Audit? Beginner's guide Step-by-step Process Forms and Checklists Site Map

SpacerThe Role of an Auditor | Auditing Tasks | Human Aspects | Audit techniques | Practical Considerations
Spacer Spacer

< Previous | Next >
 

 Spacer
Spacer

Bad Practices (print ref: Part 4, Section 3.3)

As well as adopting the good practices listed in section 3.2, Auditors should try and avoid the following bad practices:

  • Ask too many questions at once: Ask one question at a time and only move on once you have received the answer or else you will confuse the auditee.
  • Say they understand when they don't: Don't be afraid to ask the auditee to explain something they have said if you do not understand. You are not expected to be an expert in everything.
  • Answer their own questions: Let the auditee answer the question; don't put words into their mouth.
  • Give insufficient time to answer: Although you will be under a lot of time pressure you must give the auditee sufficient time to answer each question.
  • Get into an argument: This is a consequence of looking for trouble discussed in section 3.2 and should be avoided at all costs.
  • Rely on their memory: All your questions should be written down on your checklists, so make sure that all the answers are too. Then you won't have to rely on your memory when it comes to writing up Non-compliance and Audit reports afterwards.
  • Give subjective opinions: Remember first of all you have to be objective, and secondly you are not really there to give advice but to make judgements based on the evidence.
  • Take sides: You have to be impartial at all times.
  • Criticise individuals: Your role as Auditor is to assess the effectiveness of the data protection system not individuals. If you do find evidence of a breach of the Data Protection Act first establish whether it is due to a system failure. If it is due to human error check whether the individual has had sufficient training to carry out the task. If they have not been trained sufficiently then this is also a system failure.

You will find that the best way of avoiding many of the above bad practices is to be very careful about the way you respond to answers provided by auditees. This is illustrated by the phrases shown below which are likely to lead to the undesirable consequences indicated and should be avoided by the Auditor.

Phrase

Likely consequence

If I were you ......  

Subjective opinion

When I was at ......  

Auditor's "baggage"

If you do this ......  

Giving advice

Fine, but ......  

Getting into an argument

I told you so ......  

Criticising

Return to top
 
Toolbox top border
Spacer

Human Aspects

Spacer 		Spacer
Toolbox bottom border


< Previous | Next >

 Spacer
Spacer

What is a Data Protection Audit? | Why Audit? | Beginner's Guide | Step-by-step Process | Forms and Checklists | Site Index
Copyright