Before an organization can

to devote themselves to the principles of data protection, he must take stock of their personal information holdings and the procedures currently in force. And to move forward on this path of confidentiality, an organization must have three basic questions: What kind of personal information we hold, where it is stored, and ask how is it managed?

Enter the verification of confidentiality. An audit helps an organization to take inventory of its database of personal data, to identify information needs of the various functions to be understood within the organization and current information practices, including how and why personal information is collected, used and disseminated. Design and perform an audit of privacy, an organization must ensure it retains a fundamental truism in mind: do workers in general, what you do not control what you expect!

An audit of internal privacy provides a critical self-assessment. It is important to employees, who were invited to participate in the trial, they should not be afraid of “not testing” or when the task called for each of their current practices stress. Instead, what an organization focused on this stage is a comprehensive and accurate one that requires no decisions, and develop no right or wrong answers. The main objective of the test should be expanded: How to gather information on current practices that may be the planning and decision making regarding the future of privacy best practices within the organization guide.

After the on-line and off-line procedures are understood within the organization, a comprehensive risk assessment can be made. Business practices evaluated to identify gaps in meeting the criteria of good practice. Based on the level of risk, measures the measures and a timetable for compliance initiatives be a priority.

To be effective, privacy controls must be performed by someone familiar with the issues of privacy, but not much in dealing with daily operations, such as the Office of privacy and an internal audit group involved.

Inventory

The test starts by an inventory of personal data files that currently exist and organizational policies and practices of information management. In some situations, the organization of personal information from a variety of sources, including customers, partners, contractors to collect, employees, suppliers and even the general public. Each department within the organization must be examined through the inventory process to determine how and why personal data is collected and used, if such approval has been achieved and what form they have, how this information is stored and how long it is kept and that he was released and why.

For an efficient inventory, collect all the documents and personal information should be verified in commercial transactions on a daily basis. This important step is, all forms, contracts, consider confidentiality agreements contracts to third parties, privacy codes of practice, procedure writing, by fax and e-mail templates, etc. In assessing each treatment, we may determine if the documents are complete and detail in terms of privacy or whether they will be re-written or revised.

It is important when conducting the audit to examine the records of personal information held on paper, on file system and other electronic media and online collections, or communication. Companies must consider all ways in which personal information is collected. Examples:

Order forms – application forms or
- Contest
- /> E-Mail
- />
- Guarantees
- Delivery Services
- Websites
- Call center and business records
- Loyalty programs or referral

On the crucial question that must be answered during the test: What are the information needs of various departments within the organization? can help Interviews with employees, employee surveys and focus groups to answer this question. In discussion with staff, we can get a really good idea, rather than formal methods, but the informal has adopted standards adopted by the department.

Potential audit issues:

- How do you collect your organization (or unit or department), personal information?
- Why has your organization collects personal information?
- Individuals are informed that the organization is collecting their personal information?
- If so, are the people of the purpose (s) be informed to collect their personal information?
- The consent is obtained from individuals before collecting or using their personal information? If so, what the methods used, such approval to be obtained?
- As the use of personal information organization?
- Who the organization to disclose personal information to you?
- People are aware of the use and disclosure of their personal information?
If so, what are the methods used to inform?
- If the personal data held by the organization with accurate, complete and current?
- How to store personal information organization? Where is it stored?
- Who has access to personal information held by the organization and who really needs to have access?
- Has the organization made to the personal information it holds against unauthorized access, collection use, disclosure or modification to protect?
- How long does the organization personal info?
- How to destroy the body or dispose of personal information?

With extensive control measures, a report is created, summary results and recommendations for the organization based on the areas that need more emphasis in length. In fact, the report will help the organization develop a plan for personal information and complete details about the attack that effectively to the needs of the organization that protects itself to make progress in achieving the sense of a robust privacy management.


Audit implementation