Guide to Data Protection Auditing - Step-by-step Process


			Data Protection Homepage Audit Guide Homepage Download print version


< Previous \| Next >

Selection of Auditor (print ref: Part 3, Section 1.3)

The key factor to bear in mind when selecting staff to carry out Data Protection Audits is that they should be independent of the function being audited. This means that ideally the person responsible for Data Protection should not audit activities such as Subject Access Requests if they usually process these themselves. However, in small organisations it may be very difficult or even impossible to ensure total independence and so a compromise will have to be reached. In larger organisations, there should be positive benefits by having staff from one function auditing another as this might encourage the adoption of best practice.

Auditors who are required to carry out Data Protection assessments will need to meet certain minimum criteria in a number of areas. The international auditing standard ISO 10011-2 can serve as a very useful starting point to help organisations define these minimum criteria, and some recommendations are made for both Internal and External Auditors.

Skills

All Data Protection Auditors should be competent at expressing concepts and ideas clearly and fluently both orally and in writing.

Training in Auditing

Ideally, every Auditor should be given adequate training before conducting any audits.

External and Supplier Auditors

When choosing an External or Supplier Auditor, organisations should check that they have been trained to a level sufficient to ensure competence in the skills required for both conducting and managing audits. The core areas covered by this training should include:
- Knowledge and understanding of Data Protection issues in general and the 1998 Act in particular.
- Familiarity with the assessment techniques of examining, questioning, evaluating and reporting.
- Additional skills for managing an audit, such as planning, organising, communicating and directing.
Internal Auditors
Internal Auditors, particularly those in smaller organisations are unlikely to have received training to the level described above. For this reason Part 4 of this Manual and the pro formas and checklists in the Annex are intended to provide novice auditors with sufficient guidance to conduct basic Data Protection audits without further training.

Experience of Data Protection Law and Practice

Internal and External/Supplier Auditors may have very different levels of experience of Data Protection Law and Practice.

External and Supplier Auditors

When choosing an External or Supplier Auditor it is recommended that organisations look for Auditors who have demonstrable experience in Data Protection related activities.
Internal Auditors

Smaller organisations will probably have great difficulty in finding staff with much experience of Data Protection Law and Practice, so again the best compromise will have to be reached. Larger organisations may find that only the person(s) responsible for Data Protection has the relevant experience, but this should not preclude other staff from auditing for the reasons stated in "Training in Auditing", part b) above.

Personal Attributes

Both Internal and External/Supplier Data Protection Auditors will require the following personal attributes if they are to carry out their tasks successfully:

To be open-minded and mature in approach
To possess sound judgement, analytical skills and tenacity
To be objective
To have the ability to perceive situations in a realistic way
To be able to understand complex operations from a broad perspective
To be able to understand the role of individual units within the overall organisation

Return to top

Planning

< Previous | Next >