Scribd Logo
Upload

Welcome to Scribd!

  • Guide To Data Protection Auditing - Step-By-step Process - SelectAuditor

    Uploaded by

    Spit Fire
    10 views2 pages
    Guide to Data Protection Auditing - Step-By-step Process_SelectAuditor

    Original Title

    Guide to Data Protection Auditing - Step-By-step Process_SelectAuditor

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Guide to Data Protection Auditing - Step-By-step Process_SelectAuditor

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    10 views2 pages

    Guide To Data Protection Auditing - Step-By-step Process - SelectAuditor

    Uploaded by

    Spit Fire
    Guide to Data Protection Auditing - Step-By-step Process_SelectAuditor

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 2

    Guide to Data Protection Auditing - Step-by-step Process 12/28/21, 8:26 AM

    Data Protection Homepage


    Audit Guide Homepage
    Download print version

    Planning | Preparation: Conducting the Adequacy Audit | Preparation: Compliance Audit | Conducting the Compliance Audit |
    Audit Execution | Reporting | Audit follow-up

    < Previous | Next >

    Selection of Auditor (print ref: Part 3, Section 1.3) Planning

    The key factor to bear in mind when selecting staff to carry out Data Protection Planning
    Audits is that they should be independent of the function being audited. This Risk Assessment
    means that ideally the person responsible for Data Protection should not audit Audit Schedule
    activities such as Subject Access Requests if they usually process these Select Auditor
    themselves. However, in small organisations it may be very difficult or even Pre-audit Questionnaire
    impossible to ensure total independence and so a compromise will have to be Preparatory Meeting
    reached. In larger organisations, there should be positive benefits by having and Checklist
    staff from one function auditing another as this might encourage the adoption
    of best practice.

    Auditors who are required to carry out Data Protection assessments will need to
    meet certain minimum criteria in a number of areas. The international auditing
    standard ISO 10011-2 can serve as a very useful starting point to help
    organisations define these minimum criteria, and some recommendations are
    made for both Internal and External Auditors.

    Skills

    All Data Protection Auditors should be competent at expressing concepts and


    ideas clearly and fluently both orally and in writing.

    Training in Auditing

    Ideally, every Auditor should be given adequate training before conducting any
    audits.

    a. External and Supplier Auditors

    When choosing an External or Supplier Auditor, organisations should


    check that they have been trained to a level sufficient to ensure
    competence in the skills required for both conducting and managing
    audits. The core areas covered by this training should include:

    Knowledge and understanding of Data Protection issues in general


    and the 1998 Act in particular.
    Familiarity with the assessment techniques of examining,
    questioning, evaluating and reporting.
    Additional skills for managing an audit, such as planning,
    organising, communicating and directing.

    b. Internal Auditors

    Internal Auditors, particularly those in smaller organisations are unlikely


    to have received training to the level described above. For this reason

    https://www.cmpe.boun.edu.tr/~ozturan/etm555/dataaudit/html/steps/planning/auditor.htm Page 1 of 2
    Guide to Data Protection Auditing - Step-by-step Process 12/28/21, 8:26 AM

    Part 4 of this Manual and the pro formas and checklists in the Annex are
    intended to provide novice auditors with sufficient guidance to conduct
    basic Data Protection audits without further training.

    Experience of Data Protection Law and Practice

    Internal and External/Supplier Auditors may have very different levels of


    experience of Data Protection Law and Practice.

    a. External and Supplier Auditors

    When choosing an External or Supplier Auditor it is recommended that


    organisations look for Auditors who have demonstrable experience in
    Data Protection related activities.

    b. Internal Auditors

    Smaller organisations will probably have great difficulty in finding staff


    with much experience of Data Protection Law and Practice, so again the
    best compromise will have to be reached. Larger organisations may find
    that only the person(s) responsible for Data Protection has the relevant
    experience, but this should not preclude other staff from auditing for the
    reasons stated in "Training in Auditing", part b) above.

    Personal Attributes

    Both Internal and External/Supplier Data Protection Auditors will require the
    following personal attributes if they are to carry out their tasks successfully:

    To be open-minded and mature in approach


    To possess sound judgement, analytical skills and tenacity
    To be objective
    To have the ability to perceive situations in a realistic way
    To be able to understand complex operations from a broad perspective
    To be able to understand the role of individual units within the overall
    organisation

    Return to top

    < Previous | Next >

    What is a Data Protection Audit? | Why Audit? | Beginner's Guide | Step-by-step Process | Forms and Checklists | Site Index
    Copyright

    https://www.cmpe.boun.edu.tr/~ozturan/etm555/dataaudit/html/steps/planning/auditor.htm Page 2 of 2

    You might also like