GDPR Radio – Episode 139

Jasmine Harrison, Philip Brining and Joe Kirk

Insights from Data Protection Made Easy Podcast

Data Protection Made Easy Episode 135

The ICO’s Audit of PSNI and Beyond

Tune In to Episode 129 of the Data Protection Made Easy podcast, hosted by Tristan Mills and Philip Brining. This podcast is your trusted source for navigating the intricate world of data protection. Stay informed and engaged with the latest insights and news, including our special segment, News of the Week, which offers a concise snapshot of this week’s discussion.

News Story Of The Week

The ICO published a summary of its consensual audit of the Police Service of Northern Ireland (PSNI) last week, making 60 recommendations, 11 of which were flagged as “urgent”.  The audit followed the very public personal data breach in which information about the force’s employees was accidentally published in response to a request for information under the Freedom of Information Act (2000).

The scope of the ICO’s audit was governance and accountability and data sharing and the ICO’s audit team gave an assurance rating of “limited” suggesting there is a limited level of assurance that processes and procedures are in place and are delivering data protection compliance.  The audit identified considerable scope for improvement in existing arrangements to reduce the risk of non-compliance with data protection legislation.

Areas found wanting included:

1.   The lawful basis for processing were not determined and documented for each processing activity and the Appropriate Policy Documents are not published as required by sections 35 and 42 of the DPA18.
2.   Records of processing activities (RoPAs) were either not in place, not comprehensive or not complete as the ICO, and there was no formal review process in place to periodically them.
3.   Training employees in data sharing processes and other areas of data protection compliance to sufficiently perform their responsibilities have not been completed.
4.   Data sharing arrangements need reviewing and documenting.
5.   Processes for undertaking data protection impact assessments (DPIAs) including guidance and templates need implementing or improvement. In particular, clarification as to who has the authority to sign off on risks.
6.   Processes for managing information assets need improvement and in particular, processes to ensure that ownership of information assets from one employee to another is subject to a handover process to ensure that IAOs are aware of their responsibilities before they take on the role and are fully capable of adhering to the responsibilities including any training necessary.

Having just completed a series of data protection audits and health checks, I thought it would be useful to compare the ICO’s findings with those of my own.

In most cases during an audit, I find that there is something for most of the 30 or so topical areas I look at. For example, there is usually some rudimentary form of RoPAs but they are never complete.  Never.  As an auditor, I like select a sample of the RoPA records and physically inspect them in the work-place.  Also, I like to select a sample or work tasks in the work-place and try to locate them on the RoPA.  But to date, I’ve never been fully satisfied that a RoPA and the surrounding business processes to maintain them provide a high level of assurance with regard compliance.

The lawful basis for processing is often recorded on the RoPAs and again, these usually contain some entries that are appropriate.  Most RoPAs are recorded in Excel spreadsheets and in some of the rows, the lawful basis is simply not recorded.  In other rows the lawful basis cited is not actually one of the options provided in Article 6 of the GDPR.  I always home in on RoPA rows containing special categories of personal data and also those where consent is cited as the lawful basis.  But sadly, my experience over scores of audits is that RoPAs are usually incomplete and the lawful basis for processing not clearly and accurately stated.

Data sharing and disclosure is also an area invariably of weakness whether that is disclosure to other controllers or processors.  There are usually gaps in record-keeping, sharing being undertaken without appropriate contracts, and sometimes, contracts without the necessary clauses in them.  Processors and data sharing is usually an area flagged as having a low level of assurance.  This is a great surprise given the continued stream of supply-chain induced personal data breaches.

Where I find a process for undertaking DPIAs, the actually DPIAs undertaken are often of a poor quality.  I expect to be able to pick up a DPIA and understand the processing activities it is meant to be reviewing.  But in many cases, the DPIAs are garbled and incoherent to me, as an independent observer.  They may well mean something to the author, but my view is that they should also be understandable to a wider audience.

Training is also an area of weakness.  In many cases, there is evidence that employees have undertaken a 20 minute GDPR e-learning course, but no evidence that they have been trained in the processes operating within their business.  This is a major short-coming.  To me, it’s only partially useful knowing a little bit about cyber security in general, the missing link is usually how my employer approaches security.

In conclusion, while I could go on about all of the other aspects of a data protection and privacy compliance assessment, unfortunately I could have lifted the ICO’s findings and inserted them straight into a typical audit report I have written and visa-versa.  I still fail to understand why so few organisations undertake an independent annual compliance check.  It’s such a shame that it is not mandated to be a requirement where appropriate.  A missed opportunity in my opinion.

Data Protection People undertakes data protection compliance audits, gap analysis and health checks.  Contact us for further information.

Next Week’s Episode: Unlocking the Potential of Inspiring Leadership in Data Protection and Cybersecurity

Don’t miss our upcoming episode, where we will be joined by Michelle Griffey, Chief Risk Officer at Communisis. Michelle will share her expertise on mitigating data protection risks and driving transformation through governance strategies. Discover the power of inspiring leadership in championing data protection within your organization.

Whether you’re a seasoned professional or new to the field, our podcast promises to inspire and equip you with strategies for enhancing growth and building a resilient, secure future.

If you haven’t already, be sure to subscribe to Data Protection Made Easy podcast to stay informed and engaged with the latest developments in data protection.