This document outlines Thornton Group's experience preparing for and undergoing a data protection audit by the Office of the Data Protection Commissioner (ODPC). It details Thornton Group's process of conducting an internal review, revising policies and procedures, training staff, and collecting documentation over four weeks to prepare for the audit. On audit day, ODPC investigators reviewed documentation, interviewed staff, and conducted a site visit. The audit resulted in a positive recommendation and reinforced the importance of data protection compliance.
1. Surviving a Data Protection Audit
David Hickey
Thornton Group – Insurance Loss Adjusters
28 January 2015
2. • Largest firm of Insurance Loss
Adjusters in Ireland
• 170 staff in 8 locations
• Multiple group specialist companies
– Property, Jewellery, Liability, Marine,
Business Interruption
• Settle insurance claims on behalf of
major insurers
3.
4. Compliance Agenda
• Regulated by Central Bank
• Consumer Protection Code
• Complaints & Internal Audit
• Information Security
• Data Protection
5. Data Protection
• DP was traditionally part of H.R. function
• Increasing DP questions arising in Information Security audits
• Engaged ISAS to carry out IS & DP readiness audit – Aug 2014
• Outcome: 43 issues of concern varying in severity
• Decision to train and appoint DPO – Sept 2014
6.
7. Sept 22nd - Notification of Audit
• Audit date: Fri 10th Oct 2014
– Four week’s notice
– 3 investigators full day
– Interviews with key staff
– Paper & systems audit
– Possible “Walkabout”
• Documentation: Fri 3rd Oct
– Three weeks to get ready
8. ODPC Powers
”The Commissioner may carry out or cause to be carried out such
investigations as he or she considers appropriate in order to ensure
compliance with the provisions of this Act and to identify any
contravention thereof “
9. Immediate Concerns ?
• Compliance with Data Protection – unknown
• Issues from ISAS review – not yet addressed
• Staff awareness – uncertain
• Information flows – not documented
• Procedures – not documented
• Poor ODPCAudit could damage reputation or worse
12. Timeline
Week 4
PRE-2014
SOME POLICIES
IN PLACE
NOT ALL
PROCEDURES
DOCUMENTED
STAFF
AWARENESS
PATCHY
SEPT 2014
BOARD
APPOINTS
D. P. O.
POLICIES
REVIEW EXISTING
WRITE NEW
BASED ON THE
8 RULES
FOLLOW THE
INFORMATION
EMAILS TO STAFF
CALLWITH
ODPC
NOTICE OF
AUDIT
Internal
Discovery
Collection of DP-related
documents
Contract review
Current state review
EMAILTO ODPC
PROCEDURES
DOCUMENT EXISTING
CREATE NEW
REFLECT THE POLICIES
STAFF AWARENESS
TRAINING
PACK
TO ODPC
PEOPLE
INTERNAL CHECKS
AND AUDITS
STAFF TRAINING PLAN
DP TRAINING FOR KEY
STAFF
BRIEF AUDIT
PARTICIPANS
AUDIT
BY ODPC
Week 3Week 2Week 1BEFORE
13. Starting Point
Code of Practice on Data Protection
for the Insurance Sector
(Approved by the Data Protection Commissioner under Section
13 (2) of the Data Protection Acts, 1988 and 2003)
14. Week 1: what are we likely to be asked ?
• Kinds of personal data ?
• Any sensitive data ?
• Approximate volumes ?
• Our policies and procedures ?
• What staff training is provided ?
• Have we experienced difficulties in
relation to Data Protection ?
• Contracts with 3rd party data processors
?
• WHAT DIDWE DO?
– INTERNAL REVIEW
– Public documentation
– ODPC website
– Consulted ADPO
– Consulted ICS SKILLS
– Consulted AMNCH
– Re-engaged ISAS
– Engaged MASON HAYES & CURRAN
• INTRODUCTORY EMAILTO ODPC
15. Week 2: what do we need to prepare ?
• REVIEW
– Registration with DPC
• POLICIES
– Data Protection
– Information Security
– ePrivacy
– HR and Hiring
– Data retention and destruction
– Subject access requests
– Training
• WHAT DIDWE DO?
– Updated DP Policy
– Collated existing policies
– Wrote missing policies
– Updated staff / awareness
– Scheduled formal training
– Updated the Board
• PHONE CALLWITH ODPC
16.
17. Week 3: Evidence ?
• PROCEDURES
– Document all processes
– Information handling
– Movement of paper
– Electronic file movement and security
• LOGS
– Breaches (real or potential)
– Subject access request
– User permission reviews
– Training
• DOCUMENTATION PACKTO ODPC
18.
19. Week 4: Ready – Set – Go !
• POLICIES & CONTRACTS
– Review for completeness
• PROCEDURES
– Spot checks
• STAFF
– Reinforce awareness
– Brief potential interviewees
• DOCUMENTATION
– Collate and Index everything
• AUDIT BY ODPC
20.
21.
22. Audit Day
• 10:00am – 4:30pm
• 3 x ODPC investigators
• Dedicated Meeting Room
• 6 x company interviewees
• 40+ documents for review
1. ODPC introduction
2. Company CEO introduction
3. Ops Director Business overview
4. Policy and Procedure review
5. Logs and other records
6. Sample cases
7. Walkabout
8. Preliminary feedback
23. Investigation
• 3 Investigators
– Professional & Courteous
• Interested in Information/Data flow
– Overview of our business was important
• Parallel review of 40+ documents
– Little chance of missing anything
• Attention to detail
– Lots of questions and note taking
• Review of Specific (not Sample) cases
– Paper first, then electronic data relating to same cases
26. Audit Result
SUMMARY
“ Excellent co-operation was received throughout the
inspection.The InspectionTeam considered that there
was excellent organisational awareness of data
protection principles generally “
RECOMMENDATION
“ It is recommended that any [Data Subject] access
request received …… is passed to the relevant client in
the first instance and …. redacts any third party
personal data when providing documentation.”
December 2014
27. Lessons Learned
• A Data Protection Audit gets the Board’s attention !
• Be positive – use the opportunity to streamline bad practices
• It’s time consuming ! Get internal and external help
• Co-operate - provide documentation in advance to ODPC
• Be able to evidence that policies and procedures are in use
• Raise staff awareness
• Prepare an overview of the business and information flow
• Most important lesson: ENGAGE with ODPC !