Skip navigation Spacer Spacer Spacer
Data Protection Logo Spacer Guide to Data Protection Auditing

Data Protection Homepage  Bullet  
Audit Guide Homepage  Bullet  
Download print version  Bullet  

What is a Data Protection Audit? Why Audit? Beginner's guide Step-by-step Process Forms and Checklists Site Map

SpacerPlanning | Preparation: Conducting the Adequacy Audit | Preparation: Compliance Audit | Conducting the Compliance Audit | Audit Execution | Reporting | Audit follow-up

Spacer Spacer

< Previous | Next >
 

Spacer
Spacer

Agreement to suitable Corrective Action (print ref: Part 3, Section 4.4.2)

It is the responsibility of the organisation's management to propose a suitable corrective action programme for each Non-compliance discovered during a Data Protection Audit. Although it is not the Auditor's role to offer advice or guidance to the organisation during an audit, it is essential that they are satisfied that the proposed corrective action will actually remove the Non-compliance. Advice or guidance could be offered during the post-audit reporting phase.

If we return to the example given in Section 4.1.2 it can be seen that had the bad design of the form been cited as the non-compliance, a logical programme of corrective action would be to re-design the form. Although this might correct that particular form it would not necessarily prevent other forms from exhibiting similar problems. However, if the form design and approval process had been cited as the non-compliance, the logical corrective action would be to include the Data Protection Representative in the sign-off loop. It can be seen that this would not only correct the form in question but would also ensure that all forms were designed correctly in future.

Once the proposed corrective action has been agreed it is documented in the middle section of the Non-compliance Record itself as described in Section 4.2.3, and then signed off by the Auditor and the Data Protection Representative.

Corrective Action Responsibilities and Timescales

The middle section of the Non-compliance Record should also be used to record the name of the person responsible for carrying out the Corrective Action programme. During the Closing Meeting the "Follow-up Date" box of the Non-compliance Record should be filled in specifying the date by when the Corrective Action will be completed and ready for review.

Agreed Audit Follow-up

Once the top two sections of each Non-compliance Record have been completed and signed off, the Auditor should agree what form any Audit Follow-up should take and when it should take place. Guidelines for deciding this are given in Sections 5.1 and 5.2. This information should then be recorded in the lower section of the Compliance Audit Report, which can then be signed off, by the Auditor and the Data Protection Representative.

Audit Report Distribution (print ref: Part 3, Section 4.5)

Once the Compliance Audit Report and any associated Non-compliance Records and/or Observation Notes have been signed off, they should be provided to the Data Protection Representative so that they can proceed with the Corrective Action programme. The individual Non-compliance Records can then be completed and signed off as described in Section 5.4.1, and finally the Compliance Audit Report can be signed off and the Audit closed as described in Section 5.4.2.

Once the Audit is closed the Data Protection Representative should hold the originals of all the documents in an Audit File. The person responsible for the function or area covered in the Audit Report might also wish to retain copies for reference purposes.

Return to top
 

Toolbox top border
Spacer

Compliance Audit Reporting

Spacer
Spacer
Toolbox bottom border


< Previous | Next >

Spacer
Spacer