Data Protection Audit
In the regulation of development of the old LOPD it was clearly stated that a Data Protection Audit should be carried out every two years, in all organizations that had some level of security measures.
Article 96 Audit. 1. Starting at the medium level, the information systems and data processing will be submitted, at least every two years, to an internal or external audit that verifies compliance of this Title.
The current legislation does not explicitly state this, which is the reason why many people have mistakenly interpreted that data protection audits are no longer obligatory.
In contrast to the opinion of many people, the GDPR does make several mentions to the audit:
- In art 32 of the GDPR it says that security measures shall be ensured with among others :
d) A process of regular verification, evaluation and assessment of the effectiveness of technical and organizational measures to ensure the security of the treatment.
- In art 28.3 h, about the data processor:
Article 28.3.h) about the Data Processor: … as well as to allow and contribute to the carrying out of audits, including inspections, by the controller or another auditor authorized by the controller.
- Article 39 of the GDPR talks about the functions of the Data Protection Delegate, including the supervision of audits:
Article 39 on the functions of the Data Protection Delegate: To supervise compliance with the provisions of this Regulation, … , including the assignment of responsibilities, awareness-raising and training of employees involved in processing operations, and the corresponding audits.
- Article 47 of the GDPR talks about Binding Corporate Rules and the need for data protection audits:
Article 47 on Binding Corporate Rules: They shall specify the established mechanisms … . Those mechanisms shall include data protection audits and methods to ensure corrective actions to protect the rights of the interested person.
- Finally, Art 58 of the GDPR informs us that the supervisory authority may carry out investigations in the format of audits:
Article 58 on the Powers of supervisory authorities: to carry out investigations in the format of data protection audits.
Why should a Data Protection audit be performed?
- Evaluate the risks to which the company is exposed.
- Review the security measures implemented.
- Detect new risks that did not exist in the past because of the continuous technological evolution.
- Adapt security measures in the process of continuous improvement.
- Demonstrate compliance to third parties. Top management, shareholders, investors, etc.
The criterion of the Data Protection Agency in relation to audits is that under the GDPR they are not mandatory but necessary.
Now that it is clear that audits are necessary to comply with the principle of proactive responsibility and to verify if the degree of compliance in data protection is correct, we invite you to request more information on the following link.
ISO 27001 Certification
In order to comply with the European legislation on Data Protection, each organization must evaluate the risks of the personal data processed, in order to implement the necessary mechanisms to protect them. For this objective, many organizations see the ISO 27001 standard as a convenient way to establish their Information Security Management System.
ISO 27001 allows companies to certify their Information Security Management System (ISMS). A company that obtains certification transfers its concern for information to its customers, employees and suppliers.
In Auratech we have lawyers certified by AENOR to audit and certify your company in the legislation ISO 27001 ISMS.
This international rule establishes guidelines for information security in organizations and information security management practices, including the selection, implementation and management of controls, taking into account the organization’s information security risk environment.
This international rule is designed to be used in organizations that intend:
- a) select controls in the process of implementing an Information Security Management System based on the ISO/IEC 27001 rule.
- b) implement commonly accepted information security controls
- c) develop their own information security guidelines
The GDPR represents a very significant change in data protection legislation at European and global level in the last 20 years. Its purpose is to protect the privacy of the personal information of all citizens residing in the European Union.
ISO 27001 is the international rule par excellence for ensuring information security.
It is developed on the basis of the British rule BS 7799-2 and first published in 2005. Many companies see ISO 27001 certification as the first starting point for compliance with the GDPR.