Assuring the data protection environment – prove you’re compliant

The world of data protection is full of buzzwords and phrases - 'PIAs', 'PbD', 'accountability', 'privacy engineering' and so on - but they are meaningless in the absence of assurance. Assurance is the mechanism that provides a hard test of the extent to which the ambitions within the buzzwords and phrases have moved from the lips into the actual daily operations of business. And in the hardest tests of all - failure that leads to regulatory investigation and enforcement - assurance becomes the focus of analysis and the guarantor of remedy.

What I am talking about is the testing and review of systems and operations for data protection by audit. Audit is a vital component within the building of trust and resilience. Very important things are audited. That's why the books of listed companies are subject by law to independent audit. That's why we have a National Audit Office, to monitor the spend of tax payers' money by government. That's why schools and hospitals are audited - and law firms too.

In the data protection space we already see the role of audit as the focus of analysis and the remedy of failure. The biggest case in the data protection world at the moment is Europe v. Facebook, which is examining the lawfulness of the Safe Harbour scheme for transferring personal data to the United States. At the very heart of the case is the question of audit and the extent to which citizens of Europe can trust the claims of data protection compliance by US entities that have signed up to the Safe Harbour scheme.

In the United States, audits play out in all the big enforcement cases brought by the FTC, which regulates data privacy as a consumer protection issue. The FTC uses audit as a remedy, imposing twenty year independent audit programmes on entities that fail to handle personal information properly.

In the UK, the government recently introduced compulsory data protection audits for the NHS. The law that underpins this new power of compulsory audit by the regulator, ICO, was itself a remedy mechanism, introduced in legislation in 2009 as part of the response to very serious data handling problems in the UK government and public sector. In Europe compulsory regulatory audits for data protection and security in the telecommunications sector have existed since 2009, via amendments made to the PEC Directive.

The focus on data protection audits is seen most notably in the UK in the regulator's enforcement strategy. It seems that the high watermark of data protection fines has passed. The ICO has quietly shifted itself towards audit as the preferred regulatory supervision and enforcement mechanism. The number of annual fines has dropped rapidly. The number of audits carried out by the ICO's audit team has risen at a corresponding rate. And during the exercise of enforcement powers the ICO seeks the disclosure of audit reports, because they can provide 'smoking gun' evidence. When 'Undertakings' are agreed, under which data controllers promise to change their businesses to improve data protection compliance, audits are commonly part of the change programme that is requested and signed up to.

It's all about assurance. It underpins everything. This is why the EU's current reform agenda for data protection and cyber security contains many new express provisions about the performance of audits, not least as part of the breach disclosure process. Hence why the ICO is promoting a 'privacy seal' framework, which is an assurance idea that will have to be underpinned by audit.

If audit provides a focus for data protection and a remedy for failure, it is vital that the audit provision can be trusted. The questions of trust and integrity in the data protection assurance world have played out not only in the current Europe v. Facebook case and the Safe Harbour row, but also in direct regulatory action by the FTC against a data protection trust provider. The spotlight will shine on the quality and reliability of data protection audits with ever increasing intensity as the data protection world matures.

Entities need to fully embrace data protection auditing. It needs to be a part of the regular cycle of business. And it needs to deliver real assurance, not false assurance. This means that the spotlight needs to shine on the auditor too. Simply being 'in' the data protection field does not make a person an auditor. It is not a natural progression or an entitlement to practice that flows from writing privacy policies, or giving legal advice. It is an expert skill. Anything less risks false assurance, failure and adverse scrutiny.


To find out more about how we can help address key data protection, privacy and optimisation challenges facing your organisation, please get in touch with one of our subject leaders.