Friday 22 September 2017

How many audit controls does an organisation need to establish to show that it takes data protection seriously?

Whenever I visit a clinic for a health check, I’m asked a slightly different set of questions. Each clinic is very professionally run, and, until recently I haven’t been unduly concerned that the same questions aren’t always asked. I’ve generally been healthy, so I guess there was never any real need for the medical profession to probe too deeply.

So, why should I be worried about different questions being asked about data protection? How deeply should professionals probe into the 'data protection' health of an organisation?

The question arose because I’ve recently had an opportunity to compare my methods with those practiced by a chum in Austria. When I’m asked to probe an organisation, I review it through the lens of some 45 controls. When my Austrian chum probes, he uses a similar number – for starters – but might then extend his examination to cover some 200 controls – each of which can be specifically linked to GDPR requirements.

And these are just GDPR controls. He told me that, in Austria, some projects necessitated the use of a further 30 or so controls, to reflect specific aspects of Austrian data protection legislation.

So, he was happy that the GDPR might involve him dropping up to 30 redundant controls.  But, what might my clients might say if I slipped into the next conversation that what I needed to do was focus not just on my initial 45 controls, but  an additional 155. How would that go down, I wondered.

Tell me, fellow data protection professionals, how many controls are sufficient for an organisation to rely on? Should it simply rely on the controls that the ICO uses in its “Getting Ready for the GDPR” checklist?

Or should it introduce more? – and if so, just how many more?

The answer, obviously, depends on the extent to which the organisation’s processing is likely to harm individuals, and in particular how much harm could be caused to how many individuals.

So, organisations need to take a risk-based approach to developing appropriate data protection controls.

My Austrian chum might well have been right all along -  perhaps there are a significant number of organisations that need his “full fat” suite of over 200 controls. And perhaps I have been misleading clients into believing that my set of 45 was sufficient.

I won't know whether I have been misleading anyone until a data breach has occurred and the ICO’s enforcement team has decided that an aggravating factor in the case was the organisations decision to rely just on my initial suite of 45 controls.

So, I’m praying on my initial hunch that my ‘suite of 45’ will be sufficient to prevent a reportable breach for which the inadequacy of my control set was partly responsible.   

Wish me luck.