All companies processing personal data must ensure compliance with data protection regulations and provide appropriate documentation. This can be clearly seen from Art. 5 Para. 2 of the GDPR. The mere existence of regulations on data protection and the appointment of a data protection officer does not ensure that the regulations are functional and that the requirements are effectively complied with by all employees. Although the management is legally responsible for compliance with data protection regulations, Senior Management is often unable to assess and define the degree of compliance itself due to a lack of evidence. Especially in case a company serves as a service provider in the sense of Art. 28 GDPR (processor), compliance with GDPR requirements must also be guaranteed to the client in a verifiably way. Many companies that offer the processing of personal data as a service are now required by their clients to provide qualified confirmations of compliance with data protection regulations.
Implementation of an internal control system for Data Protection Compliance (ICS)
In practice, such verifiability can easily be achieved through integration of data protection controls into daily operations. Internal controls for essential elements of data protection can act as a data protection control system (data protection ICS). The data protection ICS contains controls that are integrated into all (sub)processes of the company relevant for data protection adherence. Documentation and evidence are promptly included in processes and their effectiveness can then be easily judged. This can be clearly illustrated using the example of obtaining confidentiality declarations for new employees:
- If the personnel department already has proof that such a non-disclosure agreement has been obtained, it is very easy to objectively measure the error rate and thus the efficiency of the implementation of the requirements
Which are important controls can be seen in the audit note of the Institute of Auditors in Germany e.V. (IDW) published under IDW PH 9.860.1 "Prüfung der Grundsätze, Verfahren und Maßnahmen nach der EU-Datenschutz-Grundverordnung und dem Bundesdatenschutzgesetz“ . Processors must ensure that internal controls allow verifiability of data protection compliance for activities handled for other companies at least in processes and areas relevant to the provision of data processing services.
The minimum scope of the data protection ICS can also be well derived from the interfaces of responsibilities between controller and data processor. Regulations that are typically implemented by the controller are not necessarily the subject of the data protection ICS at the processor’s end. Accordingly, the implementation of the information obligations towards the data subjects or the performance of a data protection impact assessment must be aligned and assessed directly at the controller’s end.
As a processor, at least the following criteria should be auditable within the scope of a data protection ICS as a minimum:
- Appointment of a data protection officer and level of fulfilment of the legally required activities,
- The engagement and contractual arrangements of subcontractors in relation to the relevant service, including data transfer to third countries where appropriate
- Processes for handling data protection incidents and reporting to the client
- Training or sensitization of employees with regard to data protection compliance
- Technical and organisational data protection measures in relation to the relevant service
- For software developments (in case of service provided): Implementation of the principles - Privacy by Design and Privacy by Default
- Data protection-compliant deletion / destruction of personal data of order processing
- maintaining a register of processing activities relating to the relevant service
Evaluate effectiveness during operation / Implementation support
Different types of evidence are relevant for effectiveness. It will be possible to prove that a declaration of confidentiality has been obtained during the recruitment process, and it should be possible to prove that the Data Protection Officer has sufficient knowledge by means of evidence of cvontinued training.
The introduction of a control system can be efficiently supported in particular by a consultant or Data Protection Auditor who, based on his experience, will provide appropriate guidelines for the specific company, so that regulations are neither overburdening and thus inefficient nor are necessary regulations forgotten or disregarded. In addition, the auditor can, for example, provide support once a year in the internal effectiveness audit or, alternatively, confirm the effectiveness and functionality of the internal data protection control system in an audit. Since in most companies the employees are likely to be working at full capacity in their daily routine, the use of a consultant is often a good way to keep the effort and the burden for the employees during the introduction of such an internal control system manageable.
Advantages of a data protection ICS
There are advantages of a data protection ICS in several respects: The management of a company can evaluate the effectiveness of data protection at any time by means of objective evidence and have it confirmed by an (external) audit with a manageable amount of effort and time. With the proof of an "audited data protection", the services can be advertised and the frequently agreed contractual regulations can be easily complied with. In fact, in order to avoid to carry out onsite audits it is often expected from the contractor to provide a qualified audit confirmation. Evidence is already often expected in the phase of selecting a service provider and is requested annually thereafter to ensure effective outsource controlling.
The availability of qualified audit confirmations can also support the simplified verification of data protection in the year-end audit process and will thereby help to save costs.
Scalability of a data protection ICS audit
An audit to confirm compliance with data protection in the company can also be scaled if required, i.e. divided according to audit topics. First the adequacy of the regulations and then their effectiveness can be assessed. In this way, the financial and expenditure-related burden in the company is distributed over time and is better bearable. Similar to the procedure of ISO certifications, the further effectiveness of the measures can be confirmed with relatively little effort in the year after the initial certification/first audit.
For data processors, the introduction of a data protection ICS is a recommendable option for making existing data protection measures more assessable and thus the quality and risks of a contract for potential or existing clients easy to evaluate. This is a decisive criterion for risk assessment, especially in the case of non-delegable liability for the client (responsible party) resulting from the processing of personal data.
As a DEKRA-certified Data Protection Officer and DEKRA-certified Data Protection Auditor, I would be happy to support you in setting up or auditing your internal data protection control system.
For any further questions or offer please contact me using the contact form or simply give me a call.
Best regards
Linda Liesum