What to Do When the Regulator Comes Knocking Ann Bevitt, Partner, Morrison & Foerster LLP Endre Győző SZABÓ, Vice-President, Hungarian Data Protection Authority

OVERVIEW

• Scope of review

• At-a-glance guide to powers and levels of activity in EU

• Focus on Hungary and UK

• Practical advice on how to react and respond

SCOPE OF REVIEW

• In-scope: inspections and audits

• Out-of-scope: other enforcement activity

AT-A-GLANCE GUIDE TO POWERS AND LEVELS OF ACTIVITY

Country General Powers

of Inspection/

Audit

Level of Recent

Activity

France Power to inspect.

Power to inspect

online/remotely.

458 inspections in

2012 and 173 on

video

surveillance/video

protection.

400 inspections

planned for 2013.

Hungary Power to inspect and

audit.

44 recent formal

procedures.

Ireland Power to audit. 33 audits in 2011.

40 audits in 2012.

AT-A-GLANCE GUIDE TO POWERS AND LEVELS OF ACTIVITY (2)

Country General Powers

of Inspection/

Audit

Level of Recent

Activity

Italy Power to inspect. 395 inspections in

2012.

400 inspections in

2013.

Netherlands Power to inspect. 58 audits and 93

inspections prior to

authorizations in

2012.

400 inspections

planned for 2013.

Spain 5,389 investigations

in 2012.

UK Power to audit 42 audits in 2011-

2012.

58 audits in 2012-

2013.

FOCUS ON UK: POWERS

• ICO’s 2012-13 Annual Report: – General level of ICO enforcement activity increasing

in many areas, e.g.

• £2.6 million civil monetary penalties levied (double the amount levied in the previous 12 months); and

• 58 audits conducted (increase of 38% on the previous 12 months).

FOCUS ON UK: CONSENSUAL AUDITS

• Section 51(7) of the Data Protection Act 1998:

– power to assess any organisation’s processing of personal data for the following of “good practice” with the agreement of the organisation.

• Audits are therefore voluntary and are designed to assist companies with compliance and promote best practice.

FOCUS ON UK: CONSENSUAL AUDITS

• Benefits of a consensual audit: – raise awareness of data protection;

– show commitment to, and recognition of, importance of data protection;

– provide opportunity to use ICO’s resources at no expense;

– allow independent assurance of data protection policies and practices;

– identify data protection risks and provide practical, pragmatic, organisational specific recommendations;

– share knowledge with trained, experienced, qualified staff; and

– lead to improved working relationship with ICO.

FOCUS ON UK: ICO’S APPROACH

• Risk-based approach to identifying which companies are asked to agree to audit.

• Risk factors include:

• number of complaints ICO receives about organisation; and

• nature of data it processes.

• Companies can invite ICO to audit them but unless there are sufficient risk factors associated with their processing of data, ICO will decline.

FOCUS ON UK: ICO’S APPROACH (2)

• Audit will assess procedures, systems, records and activities to:

– ensure appropriate policies and procedures are in place;

– verify policies and procedures are being followed;

– test adequacy controls in place;

– detect breaches or potential breaches of compliance; and

– recommend any indicated changes in control, policy and procedure.

FOCUS ON UK: AUDIT MECHANICS

• Audit comprises:

– off-site check of policies; and

– on-site review of procedures in practice.

• ICO provides report:

– outlining good practice; detailing any areas of

improvement required; and

– making recommendations to address these areas.

• Executive summary of report published on

ICO’s website (with organisation’s consent).

• Follow up review c. 6 months later.

UK: TO AGREE OR NOT TO AGREE, THAT IS THE QUESTION

• Relevant factors to consider include:

– perceived level of existing compliance generally, or within parts of organisation;

– potential negative publicity and possible damage to brand and/or reputation arising out of refusal to agree;

– positive publicity and enhancement of brand and/or reputation arising out of positive audit;

– raising of profile and awareness of data protection within organisation as a result of audit process.

UK: KEY CONSIDERATIONS FOR COMPANIES

• Scope of audit

• Timing of audit

• Preparation for audit

• How best to manage any potential risks associated with the audit.

UK: SCOPE OF AUDIT

• 6 potential areas to be covered by audit, although audit will cover maximum of only 3 of:

– Data protection governance;

– Training and awareness;

– Records management;

– Security of personal data;

– Requests for personal data; and

– Data sharing.

UK: SCOPE OF AUDIT (2)

• To be meaningful, scope should not be too narrow.

• But, risks associated with any audit and time/downtime costs involved support limited scope.

• Key is to ensure chances of positive outcome maximised.

• Relevant factors include size of business, amount and type of personal data being processed and nature of complaints received to date.

UK: LETTER OF ENGAGEMENT

• Issues to consider when finalizing the letter of engagement include:

– timing of audit

– size of audit team;

– timeframe for audit visit, ICO’s production of draft report, organisation’s review of draft and agreement to it, and ICO’s publication of executive summary; and

– type of follow-up organisation is happy for ICO to undertake.

UK: OTHER PRACTICAL CONSIDERATIONS

• Ascertaining number and names of ICO staff undertaking audit (to arrange security access).

• Understanding methodology to be used during audit process.

• Preparing business for audit, e.g.:

– describing role of ICO/purpose of audit;

– explaining scope of audit and what will happen during audit process; and

– undertaking mock audit with help of external third party.

FOCUS ON HUNGARY

• Procedures:

– Investigation – informal procedure

– Administrative procedure – formal

– Data protection audit – optional

HUNGARY: INVESTIGATION

• DPA acts as an “ombudsman”

• Complaint-based

• DPA anticipates co-operation of data controller

• May be turned into formal procedure

HUNGARY: ADMINISTRATIVE PROCEDURE

• Ex-officio

• Formal

• Decision is binding (obligations, fine)

• Decision may be challenged before the court

HUNGARY:AUDIT

• Data controller knocks on DPA’s door

• DPA charges a fixed fee

• Result is public, with the consent of the data controller

WHAT TO DO WHEN THE REGULATOR COMES KNOCKING…

TAKEAWAYS: KEY DO’S AND DON’TS

• Do:

– Ascertain nature/power of “knock”

– Confirm/agree scope/timing

– Prepare business properly

• Don’t:

– Lie

– Allow “project creep”

– Underestimate consequences

USEFUL DOCUMENTS AND REFERENCES: UK

• Auditing Data Protection: A Guide to ICO

Data Protection Audits:

http://ico.org.uk/for_organisations/data_prote

ction/working_with_the_ico/~/media/documen

ts/library/Data_Protection/Detailed_specialist

_guides/auditing_data_protection.pdf

• ICO’s 2012-3 Annual Report:

http://ico.org.uk/about_us/performance/~/med

ia/documents/library/Corporate/Research_an

d_reports/ico-annual-report-201213.ashx

USEFUL DOCUMENTS AND REFERENCES: HUNGARY

• Annual report of the National Authority for

Data Protection and Freedom of Information,

2012:

http://www.naih.hu/files/Annual-

report_NAIH_2012_EN_FINAL1.pdf

• Aspects of data protection audit (in

Hungarian):

http://www.naih.hu/files/AdatvedelmiAuditSza

kmaiSzempontokVegleges.pdf