Embed Size (px)
Citation preview
Surviving a Data Protection Audit
David HickeyThornton Group – Insurance Loss Adjusters
28 January 2015
• Largest firm of Insurance Loss Adjusters in Ireland
• 170 staff in 8 locations
• Multiple group specialist companies– Property, Jewellery, Liability,
Marine, Business Interruption
• Settle insurance claims on behalf of major insurers
Compliance Agenda• Regulated by Central Bank
• Consumer Protection Code
• Complaints & Internal
Audit
• Information Security
• Data Protection
Data Protection• DP was traditionally part of H.R. function
• Increasing DP questions arising in Information
Security audits
• Engaged ISAS to carry out IS & DP readiness audit
– Aug 2014
• Outcome: 43 issues of concern varying in severity
• Decision to train and appoint DPO – Sept 2014
Sept 22nd - Notification of Audit
• Audit date: Fri 10th Oct 2014– Four week’s notice– 3 investigators full day– Interviews with key staff– Paper & systems audit– Possible “Walkabout”
• Documentation: Fri 3rd Oct– Three weeks to get ready
ODPC Powers” The Commissioner may carry out or cause to be
carried out such investigations as he or she
considers appropriate in order to ensure compliance
with the provisions of this Act and to identify any
contravention thereof “
Immediate Concerns ? • Compliance with Data Protection – unknown
• Issues from ISAS review – not yet addressed
• Staff awareness – uncertain
• Information flows – not documented
• Procedures – not documented
• Poor ODPC Audit could damage reputation or worse
We need a Plan !
TimelineWeek 4
PRE-2014
SOME POLICIES IN PLACE
NOT ALL PROCEDURES DOCUMENTED
STAFF AWARENESS
PATCHY
SEPT 2014
BOARD APPOINTS
D. P. O.
POLICIES
REVIEW EXISTING
WRITE NEW
BASED ON THE 8 RULES
FOLLOW THE INFORMATION
EMAILS TO STAFF
CALL WITH ODPC
NOTICE OF AUDIT
InternalDiscovery
Collection of DP-related documents
Contract review
Current state review
EMAIL TO ODPC
PROCEDURES
DOCUMENT EXISTING
CREATE NEW
REFLECT THE POLICIES
STAFF AWARENESS TRAINING
PACK TO ODPC
PEOPLE
INTERNAL CHECKS AND AUDITS
STAFF TRAINING PLAN
DP TRAINING FOR KEY STAFF
BRIEF AUDIT PARTICIPANS
AUDITBY ODPC
Week 3Week 2Week 1BEFORE
Starting PointCode of Practice on Data Protection
for the Insurance Sector(Approved by the Data Protection Commissioner under Section 13
(2) of the Data Protection Acts, 1988 and 2003)
Week 1: what are we likely to be asked ?
• Kinds of personal data ?
• Any sensitive data ?
• Approximate volumes ?
• Our policies and procedures ?
• What staff training is provided ?
• Have we experienced difficulties in
relation to Data Protection ?
• Contracts with 3rd party data
processors ?
• WHAT DID WE DO?
– INTERNAL REVIEW
– Public documentation
– ODPC website
– Consulted ADPO
– Consulted ICS SKILLS
– Consulted AMNCH
– Re-engaged ISAS
– Engaged MASON HAYES &
CURRAN
• INTRODUCTORY EMAIL TO ODPC
ODPC
Websit
e
Week 2: what do we need to prepare ?
• REVIEW– Registration with DPC
• POLICIES– Data Protection– Information Security– ePrivacy– HR and Hiring– Data retention and destruction– Subject access requests– Training
• WHAT DID WE DO?
– Updated DP Policy
– Collated existing policies
– Wrote missing policies
– Updated staff / awareness
– Scheduled formal training
– Updated the Board
• PHONE CALL WITH ODPC
113 documents
Week 3: Evidence ?• PROCEDURES
– Document all processes– Information handling– Movement of paper– Electronic file movement and
security
• LOGS– Breaches (real or potential)– Subject access request– User permission reviews– Training
• DOCUMENTATION PACK TO ODPC
Sent to ODPC
Week 4: Ready – Set – Go !
• POLICIES & CONTRACTS– Review for completeness
• PROCEDURES– Spot checks
• STAFF– Reinforce awareness– Brief potential interviewees
• DOCUMENTATION– Collate and Index everything
• AUDIT BY ODPC
Audit Day
• 10:00am – 4:30pm
• 3 x ODPC investigators
• Dedicated Meeting Room
• 6 x company interviewees
• 40+ documents for review
1. ODPC introduction2. Company CEO introduction3. Ops Director Business
overview4. Policy and Procedure
review5. Logs and other records6. Sample cases 7. Walkabout8. Preliminary feedback
Investigation• 3 Investigators
– Professional & Courteous
• Interested in Information/Data flow – Overview of our business was important
• Parallel review of 40+ documents– Little chance of missing anything
• Attention to detail– Lots of questions and note taking
• Review of Specific (not Sample) cases– Paper first, then electronic data relating to same cases
Walkabout
Walkabout
Audit ResultSUMMARY
“ Excellent co-operation was received throughout the inspection. The Inspection Team considered that there was excellent organisational awareness of data protection principles generally “
RECOMMENDATION
“ It is recommended that any [Data Subject] access request received …… is passed to the relevant client in the first instance and …. redacts any third party personal data when providing documentation.”
December 2014
Lessons Learned• A Data Protection Audit gets the Board’s attention !
• Be positive – use the opportunity to streamline bad practices
• It’s time consuming ! Get internal and external help
• Co-operate - provide documentation in advance to ODPC
• Be able to evidence that policies and procedures are in use
• Raise staff awareness
• Prepare an overview of the business and information flow
• Most important lesson: ENGAGE with ODPC !
