The Privacy Audit is an assessment of company processes on the degree of compliance with current legislation . It can be compared to a check up because it must be done by an independent expert, the auditor, who we could compare to the doctor.
In the case of pathologies, or rather of finding something that must be perfected in the company in terms of data collection and treatment, the doctor-auditor (who must be a data protection expert both at a legal and IT level) prescribes the appropriate “treatments” .
The audit from a practical point of view consists of an interview with the owner and all the persons in charge / managers of data processing in the company on a periodic basis . The questions are directed to know how the data is collected and processed: companies are asked, for example, if there are already active security systems aimed at protecting the stored data, backup systems, firewalls, antispam.
Typical pre-audit activity is the accurate analysis of the privacy documentation used in the company, examining, in particular, the procedures, the flow, the conservation of the data and their storage, the type of access to the data that the staff can carry out as well as the methods of carrying out the treatment. Furthermore, specific attention is paid to the IT system. This is to ensure that it is compliant and that the data are manned by sufficient security measures.
To understand how important the Audit Privacy is, let’s take a step back to better focus the overall picture. The role of the Data Protection Officer (the privacy officer) in the new European Regulation has a proactive role . It is his responsibility to manage company data: from the prevention of the risk of violations (to avoid penalties), up to the management of any violations.
The first step to comply, therefore, is the Audit, with the aim of:
- Check the degree of compliance with current legislation, which is no longer Legislative Decree 196/2003 but the EU Regulation;
- Check the degree of compliance with corporate privacy policies that all employees are required to observe;
- Verify the presence of a privacy officer with skills in the field of corporate compliance;
- Check the possibility of entrusting the management and / or processing of data to a qualified service provider;
- Check the effectiveness of corrective actions following “non-compliance”
Don’t take unnecessary risks waiting for the last moment to adapt, in case of non-compliance with privacy obligations the European Privacy Regulation provides for administrative fines of up to € 20,000,000 or up to 4% of your turnover if greater than this amount.