The Data Protection Authorities (“DPA”) in the EU Member States have the mission to work for the protection of human rights regarding the processing of personal data. Therefore the DPA has special powers to audit and enforce the compliance with GDPR. What are they and how can you best prepare your business for an audit? 4 min read
What is at stake?
An inspection that discovers lack of compliance with GDPR will cause action from the DPA. The actions can be formal (e.g. warning, prohibition and administrative sanctions) or result in commercial liability. The finding of non-compliance will most likely result in negative publicity for the business of the controller.
Two different types of audits
There are generally two different routes to take for the DPA in its investigation: survey inspection or field inspection. The survey inspection (sometimes referred to as desk inspection) consists of six steps of exchange of information between the controller and the DPA. The field investigation includes both the exchange of information and a physical inspection at the controller’s facility. The two types of investigations can be combined which means that a survey inspection can lead to a field inspection or even further actions.
What Audit Powers does the DPA have?
When imposing fees, the DPA shall consider the severity, the nature and the duration of the violation. It will also consider if the violation has been caused by intent or negligence by the processor. The DPA can order both the data controller and the data processor to submit information and grant access to all facilities that belong to the controller or the processor. The DPA can also demand, either through the controller or the processor, access to all personal data and information needed to perform the audit. If the investigation is obstructed, the obstruction can have a direct impact on the fees imposed.
Are You Audit-Ready?
Because of the investigative powers of the DPA, it is important to prepare your business for any eventual visit or audit.
Example Questions from Data Protection Authority:
- How did you purchase IT-service X?
- How did you assure all requirements were met?
- Have you been able to make requests on the technical design?
- What issues have you raised with the supplier?
- What mitigating actions have you implemented?
The Swedish DPA
The Swedish DPA does not have the right to any coercive measure, e.g. police-assistance, in its audits. If a controller does not follow a corrective measure imposed, it will be considered an aggravating circumstance. Aggravating circumstances may also affect the level of the fee imposed. The Swedish DPA publishes its yearly audit plans on its website. It targets activities that comprise a greater risk of violation of the rights of the individual, in the form of prioritised areas, specific industries or businesses or new phenomena. The Swedish DPA also has the right to perform additional audits, e.g. based on complaints from individuals.