Skip navigation Spacer Spacer Spacer
Data Protection Logo Spacer Guide to Data Protection Auditing

Data Protection Homepage  Bullet  
Audit Guide Homepage  Bullet  
Download print version  Bullet  

What is a Data Protection Audit? Why Audit? Beginner's guide Step-by-step Process Forms and Checklists Site Map

SpacerHow to Assess Risk | How to Assess Data | Audit Pro formas | Meeting Pro formas | Audit Checklists
Spacer Spacer

< Previous | Next >

 Spacer
Spacer

Preparatory Meeting Agenda (print ref: Part 5, Annex D, Section D.1)

Introductions

  • Meet the data protection personnel and senior management of the organisation (if possible).
  • Establish who is the key Data Protection contact within the organisation for liaison purposes before, during and after the audit.

Data Processing Activities

It is vital to establish from the outset what aspects of the organisation's activities come under the scope of the Data Protection Act. The questions that need to be asked are:

  • Who is the Data Controller?
  • Is the organisation involved in processing personal data?
  • Is any of this personal data also sensitive?
  • Does the organisation use any paper records which would fall within the definition of a "relevant filing system"?
  • Are there any special purposes for which the data is used? E.g. journalistic, in-house newsletter etc.

Adequacy Audit

  • Discuss what documentation the organisation should send in advance for the auditor(s) to conduct the Adequacy Audit and when it will be available.
  • Outline the options open to the organisation in the event of an unsatisfactory Adequacy Audit.

Scope of the Compliance Audit

Once the existence of personal data processing has been established you can go on to discuss the scope of the compliance audit in more detail:

  • Discuss what departments and/or functions will be involved.
  • Discuss when the Audit could start and indicate the likely duration.
  • Indicate which staff within the organisation are likely to be involved in the audit.

Compliance Audit Protocols

  • Agree when and where the Opening and Closing Meetings will take place and who will be present.
  • Discuss the likely schedule for the auditor(s) visiting the departments/functions and which members of staff will be involved at each stage.
  • Inform the organisation of what type of written/oral feedback will be presented after the Audit, i.e. Compliance Audit Report with associated Non-compliance Reports.
  • Discuss the arrangements for any potential follow-up audits/visits to confirm that any required corrective action has been taken.

Practical Arrangements

It is important to establish exactly which facilities will be required by the Auditor(s) during the Audit including:

  • Access to premises
  • Base room/office availability
  • Working space, desks, furniture etc.
  • Access to IT equipment
  • Access to telephones, photocopiers, shredders etc.

Tour of the Premises

It is always good practice for Auditors to carry out a brief tour of the premises at the end of the Preparatory Meeting. This will help them to:

  • Familiarise themselves with the layout of the building(s) and the nature of the organisation's products and services.
  • Ascertain the status of the organisation's Data Protection System and judge how well it is prepared for an Audit.
  • Prepare an initial Audit Plan, e.g. size of Audit team, skills required, likely duration.

Return to top
 
Toolbox top border
Spacer

Meeting Pro formas

Spacer 		Spacer
Toolbox bottom border


< Previous | Next >

 Spacer
Spacer

What is a Data Protection Audit? | Why Audit? | Beginner's Guide | Step-by-step Process | Forms and Checklists | Site Index
Copyright