Data Protection Homepage    
Audit Guide Homepage    
Download print version    

Planning | Preparation: Conducting the Adequacy Audit | Preparation: Compliance Audit | Conducting the Compliance Audit | Audit Execution | Reporting | Audit follow-up

< Previous | Next >
 

Preparatory Meeting/Visit (print ref: Part 3, Section 1.5)

It is important that there is effective liaison carried out between the Data Protection Auditor and the organisation before, during and after a Data Protection Audit. The extent and manner of this liaison will vary depending upon whether the Audit is first, second or third party.

In the case of a first party or internal audit, all that is usually required is for the Auditor to arrange a visit with the person responsible for Data Protection to discuss the details of the audit using the outline agenda below. For second or third party audits the most efficient method of liaison is for the Auditor to set up a separate Preparatory Meeting/Visit with the organisation four to six weeks before the Audit.

The details that need to be discussed and confirmed at a Preparatory Meeting come under the following headings:

Administration

Topics to be discussed here include:

• Contact details: who is the key Data Protection contact within the organisation for liaison purposes before, during and after the audit?
• Documentation: what documentation should the organisation send in advance for the auditor(s) to conduct the Adequacy Audit?

The Audit

The following aspects of the Data Protection Audit itself need to be discussed and agreed at the Preparatory Meeting:

• Scope of audit: what departments and/or functions will be involved?
• Audit timescales: when does it start and what is the likely duration?
• Personnel affected: which staff within the organisation will be involved in the audit?
• Meetings: when and where will the opening and closing meetings take place and who will be present?
• Audit Plan: what is the likely schedule for the auditor(s) visiting the departments/functions and staff involved in the audit?
• Reporting: what type of written/oral feedback will the auditor(s) be presenting to the organisation, and when will it be presented?
• Follow-up: what are the arrangements for follow-up audits/visits to confirm corrective action has been taken where necessary?

Practical Arrangements

It is important to establish exactly which facilities will be required by the Auditor(s) during the Audit including:

• Access to premises
• Base room/office availability
• Working space, desks, furniture etc.
• Access to IT equipment, e.g. PCs, printers, modems etc.
• Access to telephones, photocopiers, shredders etc.

A suggested agenda for the Preparatory Meeting will be found in Annex D.1. Further guidance to novice auditors concerning the approach to adopt when conducting meetings and audits will be found in Part 4 Section 5 of this Manual.

Audit Management Checklist (print ref: Part 3, Section 1.6)

When undertaking a Data Protection Audit and working through the five phases of Figure 3.1, Auditors will find that they will have to keep track of a lot of information if the audit process is to be controlled effectively. To help Auditors with this task the Audit Management Checklist of Annex C.3 has been designed to keep track of all the personnel, meetings, documents and pro formas associated with the audit. It is recommended that Auditors start filling in the Checklist at the Preparatory Meeting and then use it to monitor the process at each subsequent stage. Space has been left on page 2 of the Checklist for making notes during the Preparatory Meeting.

Return to top
 

< Previous | Next >

What is a Data Protection Audit? | Why Audit? | Beginner's Guide | Step-by-step Process | Forms and Checklists | Site Index
Copyright