Scribd Logo
Upload

Welcome to Scribd!

  • Irq0867019 Disclosure 3

    Uploaded by

    stiribune
    15 views7 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    15 views7 pages

    Irq0867019 Disclosure 3

    Uploaded by

    stiribune

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 7

    Any Organisation

    Anywhere

    Follow-up data protection audit report

    Month 201X
    Executive summary
    Background
    The Information Commissioner is responsible for enforcing and promoting compliance with the General Data Protection
    Regulation (GDPR), the Data Protection Act 2018 (DPA18) and other data protection legislation. Section 146 of the DPA18
    provides the Information Commissioner’s Office (ICO) with the power conduct compulsory audits through the issue of
    assessment notices. Section 129 of the DPA18 allows the ICO to carry out consensual audits. The ICO sees auditing as a
    constructive process with real benefits for controllers and so aims to establish a participative approach.

    [Detail of circumstances that led to the audit (post May 2018 this may include whether the audit is consensual).]

    The original audit took place at XXX premises on [insert date] and covered the following scope areas:

    Scope Area Description

    The audit was conducted following the Information Commissioner’s data protection audit methodology. The key elements of
    this were a desk-based review of selected policies and procedures, on-site visits including interviews with selected staff, and
    an inspection of selected records.

    Where weaknesses were identified recommendations were made, primarily around enhancing existing processes to facilitate
    compliance with the DPA.

    Any Organisation Anywhere – ICO Data Protection Follow Up Audit Report – Month 201X
    XXX recommendations were made in the original audit report. In order to assist data controller in implementing the
    recommendations each was assigned a priority rating based upon the risks that they were intended to address. The ratings
    were assigned based upon the ICO’s assessment of the risks involved.

    XXX responded to these recommendations [positively], agreeing to formally document procedures and implement further
    compliance measures.

    The following charts summarise xxx’s response to the recommendations made.

    Insert Graphs One and Two from the Action Plan ‘Follow Up Graphs’ worksheet.

    Follow-up process
    The objective of a follow-up audit assessment is to provide the ICO with a level of assurance that the agreed audit
    recommendations have been appropriately implemented to mitigate the identified risks and thereby support compliance with
    data protection legislation and implement good practice.

    For all Urgent and High priority recommendations made in the original audit report, xxx are required to provide an update on
    the actions they have taken with supporting documentation to evidence progress.

    For all Medium and Low priority recommendations made in the original audit report, xxx are required to provide an update on
    the actions they have taken.

    The updated Action Plan should be signed off at Board Level.

    Any Organisation Anywhere – ICO Data Protection Follow Up Audit Report – Month 201X
    Follow-up audit summary
    A desk based follow-up took place in mm/yyyy to provide the ICO and XXX with a measure of the extent to which XXX had
    implemented the agreed recommendations. The following charts show a summary of progress to date.

    Insert Graphs Three, Four and Five (depending on the number of scope areas covered) from the Action Plan ‘Follow Up
    Graphs’ worksheet.

    Summary of follow-up audit findings


    Insert selection of graphs from the remaining scope area and priority specific graphs on the Action Plan ‘Follow Up
    Graphs’ worksheet that best illustrate the progress made or any concerns.

    Include bullet pointed conclusions on the data presented in the graphs, for example:

     In the Governance & Accountability scope area we are pleased to note that all the urgent priority
    recommendations have been completed.
     In the [scope area 2] scope area we note that all the urgent and high priority recommendations actions are either
    in progress or completed.
     In the [scope area 3] scope area there are still a number of medium priority recommendation actions that are
    either in progress or have not yet been started. In these instances there remains the residual risk of non-
    compliance with data protection legislation.

    Any Organisation Anywhere – ICO Data Protection Follow Up Audit Report – Month 201X
    Key follow-up audit findings
    Main improvements include:

     Xxxxxxx
     Xxxxxxx

    Main risk areas still outstanding:


     Xxxxxxx
     Xxxxxxx

    Follow-up audit conclusion


    Delete as appropriate:

    The follow-up is now complete, xxx has made meaningful progress to or completed all the actions agreed in the original
    audit.

    Some outstanding actions exist, but meaningful progress is being made with the remaining actions to mitigate the risk of
    non-compliance.

    There are a number of outstanding actions which means there is still a risk of non-compliance with data protection
    legislation. Xxx should take urgent steps to complete all the actions agreed in the original audit.

    There are significant gaps in progress towards urgent and / or high priority actions. Following a further review of the risk of
    non-compliance / severity of the data breach, regulatory action may be considered.

    There has been no progress towards the majority of the urgent and / or high priority actions. Xxx is in breach of data

    Any Organisation Anywhere – ICO Data Protection Follow Up Audit Report – Month 201X
    protection legislation and so the ICO will now consider regulatory action.

    Any Organisation Anywhere – ICO Data Protection Follow Up Audit Report – Month 201X
    Credits
    ICO Auditor
    Name – Job role

    Thanks
    The ICO would like to thank name and job title of contact for their help in the audit follow up engagement.

    Distribution List
    This report is for the attention of names and job titles.

    Disclaimer
    The matters arising in this report are only those that came to our attention during the course of the follow up audit and are not necessarily a comprehensive statement of
    all the areas requiring improvement.

    The responsibility for ensuring that there are adequate risk management, governance and internal control arrangements in place rest with the management of data
    controller.

    We take all reasonable care to ensure that our follow up audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third
    party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. We
    cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained
    in this report.

    This report is solely for the use of data controller. The scope areas and controls covered by the original audit were tailored to data controller and, as a result, this report is
    not intended to be used in comparison with other ICO follow up audit reports.

    Any Organisation Anywhere – ICO Data Protection Follow Up Audit Report – Month 201X

    You might also like