Privacy protection is recently stealing the spotlight. However, avoiding a fine from the supervisory authorities is not the only reason. Organizations are also creating their positive image by showing that they are careful with personal data. Joop Jansen is Chief Legal Officer at Partner in Compliance. Through his years of experience at small and large companies, he knows this field like no other and has conducted many privacy audits.

What is the trigger for a privacy audit?

This is genuinely variable. It can be the transition to a different IT system, a company takeover, the outsourcing of HR or IT departments, a change in services, a data breach, and the prevention of a fine or a fine imposed by the supervisory authority.

I also come across cases where an additional check is requested for the observance and interpretation of the General Data Protection Regulation (GDPR). For example, by a notary’s office because they work with a lot of confidential data. One of the client’s requests was to run a check based on the latest insights. In practice, there is a lack of clarity regarding the retention period for data. We can certainly provide that clarity.

What is the purpose of a privacy audit?

For the board, it is to meet its responsibility to be privacy-compliant. The goal of the departments is to outline a clear framework on how employees can do their jobs in line with privacy laws and regulations. Not only awareness of the requirements is essential, but also the why behind them.

I see a shift in purpose. The privacy audit is now more used to demonstrate that you are doing things right as an organization. I expect this to increase, also in light of the media attention to data breaches.

Looking from the outside in, we see how the privacy audit is increasingly converting to a tool showing that your organization is doing things right.
Joop Jansen

What happens in a privacy audit?

That depends very much on what prompted an audit. In general, you can say that we check whether the organization is compliant with privacy laws and regulations. We look at whether the processes are correctly designed: is there not too much data recorded, is the data processing carefully organized, and is the protection of data adequately regulated. We look at how the processes are implemented in practice.

In practice, we encounter the increasing use of an external IT system or the cloud. In the audit, we look at whether the agreements with the external supplier and the processes are privacy-compliant. We see that this is not always the case for the reporting of a data breach. Both parties must report the data breach to the Dutch Personal Data Authority (Autoriteit Persoonsgegevens, or AP). But who decides if something is a data breach? It is important to set this up properly. The final responsibility lies with the board of your organization.

What are the benefits for my organization?

After a privacy audit, you have a clear insight into how your organization is doing. A baseline measurement: is your organization compliant or not? How is the acquisition, recording, use, protection, and destruction of personal data organized within your organization? We give you advice on the focal points and bottlenecks. You will receive practical advice on how to proceed.

What do you think is an interesting example of a privacy audit?

A medical conference organizer who records the personal data of participants, doctors from all over the world. You are not only dealing with European directives but also with international privacy laws and regulations. One of the audit findings was that the client could inquire about dietary requirements or food allergies through the website but could not record them in the database. The only valid basis for this information was the actual dinner at the conference.

We see more often that:

  • more data is collected than necessary
  • data is kept for too long
  • it is not clear who is responsible for the personal data
  • the process of handling consumers’ questions about recording their data has not been set up or has been set up incorrectly.

What’s the most fun audit you’ve done recently?

A very amusing audit was research for an organization that provides virtual reality glasses for surgeons. The question was: is patient consent required? By looking objectively, it was quickly evident that it is not. No records were present. The images – where the patient is not recognizable in the picture – are only used during surgery so that other doctors can watch remotely to learn.

What makes your work in privacy audits so enjoyable?

I find it interesting to be able to apply my knowledge. Through my work, I visit many different types of organizations and get to know them as I go through the processes. Every organization is unique. What I like about my work is that I can look from the outside in. I can point where process improvements can be achieved and what savings can be made.