Audit

Step No. 1: The process starts by listing extensively all of the personal data processing carried out by the organization, verifying the status of the existing formalities and collecting all necessary information regarding the processing.

The law requires data controllers and processors to implement all necessary security measures for the attenuation of the risks inherent to the data processing and the nature of the data. An initial analysis indicates whether the processing is likely to pose a risk to the personal data given the existing measures. It also indicates the gravity of the risk on a macro level.

In the case of potential high risks to the fundamental rights and liberties of individuals, a detailed analysis must be carried out to evaluate the gravity and the likelihood of the risks, to choose the necessary relative measures for the attenuation of said risks, and finally to assess the residual risks after the execution of said measures.

CIL CONSULTING offers an operational methodology and a software tool for the analysis of data protection risks.

By way of the CNIL deliberation on 24 March 2016 (No. 2016-076), the CNIL has certified and awarded its Privacy Seal to CIL CONSULTING’s audit procedure.

The purpose of this audit procedure is the verification of the compliance of the data processing included within the parameter of the organization’s audit with regard to the requirements set by the CIL CONSULTING’s benchmarks.

The CIL CONSULTING benchmarks are based upon the relative regulations, jurisprudence, CNIL recommendations and deliberations, the WP29 opinions, as well as the best practices with regard to information security.

At the conclusion of the audit, the consultant will note the discrepancies revealed by the audit, prepare a report presenting the overall compliance and the incidents of non-compliance found during the audit, and draft a detailed outline of relative recommendations.

The data processing audit gives a company an opportunity to acquire a detailed and comprehensive vision of their data processing compliance and to effectively reflect upon which actions to undertake.

In the case of the utilisation of data processors, companies are required to ensure the subcontractors guarantee sufficient safeguards for the security and confidentiality of the data processing.

You must:

• Oversee the measures adopted by their data processors,
• Formalise a number of legally binding, contractual obligations, and
• Verify the data processor chain of processing.

Any negligence or malicious acts of a data processor exposes yourself to administrative and criminal penalties.

CIL CONSULING therefore proposes a Data Processor Compliance Audit which assesses not only the existing legal documents, but also the existing measures adopted by the Data Processor.

A compliance program consists of correcting the incidents of non-compliance and the discrepancies found with regard to CIL CONSULTING’s audit benchmarks following the completion of a data processing audit.

A compliance program consists of the implementation of the following actions:

• The respect of the fundamental principles provided for by the amended French Data Protection Act of 06 January 1978 which are applicable to all data processing activities,
• Adopt measures enabling the company to fulfil its obligations with respect to the law, the CNIL recommendations and to the information security best practices.
• Document all personal data processing activities,
• Document the policies, charters, and procedures regarding data protection, and
• Reaffirm the legal certainty of the transfers of personal data to data processors outside of the European Union by verifying, updating, and reinforcing their legal frameworks.