If your organisation has an internal audit programme, it covers data protection and related information governance (for example security and records management) in sufficient detail.
Ways to meet our expectations:
- You monitor your own data protection compliance and you regularly test the effectiveness of the measures you have in place.
- Your organisation regularly tests staff adherence to data protection and information governance policies and procedures.
- You routinely conduct informal ad-hoc monitoring and spot checks.
- You ensure your monitoring of policy compliance is unbiased by keeping it separate from those who implement the policies.
- You have a central audit plan/schedule in place to show the planning of data protection and information governance internal audits.
- You produce audit reports to document the findings.
- You have a central action plan in place to take forward the outputs from data protection and information governance audits.
Can you answer yes to the following questions?
- Could staff explain a sample of actions from the action plan including how they were identified, progressed and closed?
- Do senior management have oversight of the Action Plan?
- Are there appropriate links to a risk management process and register?