Legal Audit of Compliance with Personal Data Regulation

Legal audit of the activities of the organization for compliance with personal data legislation

Conducting activities in the field of personal data processing is inextricably linked with monitoring the changing legislation in this area. Despite the fact that the inspections of the regulatory authorities are carried out on the basis of a notification (order) on the conduct of an inspection in relation to the operator of personal data, it is rather difficult to prepare for such an inspection in a short time. At the same time, the implementation of internal control and (or) audit of the compliance of the processing of personal data with the legislation on personal data, the requirements for the protection of personal data, the operator’s policy regarding the processing of personal data, local acts of the operator is provided for in Article 18.1 of the Federal Law “On Personal Data”. Conducting an audit by a third-party organization allows you to look at the entire block of the organization's work in the field of personal data from the side and detect shortcomings in the work. In this regard, personal data operators are encouraged to conduct a third-party legal audit of compliance with personal data legislation.

Legal audit of compliance with current legislation on personal data includes the study of all processes related to personal data in an organization or an individual entrepreneur. The main tasks of a legal audit are the analysis of available local documents on personal data, checking the level of protection of personal data, and developing recommendations for compliance with legislation on personal data. At the same time, legal audit allows the management of the organization to understand the real state of affairs in the field of personal data, correct existing violations and, as a result, avoid liability. As a rule, external legal audit is divided into several stages:

1. Verification of existing documents in the field of personal data processing. All documents in the organization must comply with all relevant legislation in the field of personal data. It is also important that a responsible person be appointed who is responsible for compliance with personal data legislation.
2. Collecting information and monitoring the processing of personal data. Upon receipt of information and monitoring, documents, places and processes in which personal data are used are clarified. It also analyzes the compliance of existing documents in conjunction with ongoing processes using personal data.
3. Analysis of information systems, technical means of protection by which personal data is processed. At this stage, information systems are defined, the process of protecting personal data processed using information systems.
4. Formation of recommendations to eliminate violations of the law in the field of personal data processing. At this stage, in addition to the formation of recommendations, the company’s management receives comprehensive advice on compliance with legislation in the field of personal data.

At the same time, an audit of compliance with legislation in the field of personal data can be carried out independently, this is called internal control, but in this case it is necessary to draw up a separate relevant provision, approve it and put it into effect. Despite the fact that the obligation to develop such a document is not fixed by law, it will be necessary to draw up such a document in order to form an internal control procedure. This is due to the fact that during the audit it is necessary to show the supervisory authority the internal control procedure established in the organization. Conducting a legal audit by a third-party organization is carried out on the basis of a service agreement, which prescribes the format of the audit. Such an agreement and the recommendations received in the course of its execution will become evidence for Roskomnadzor to audit the compliance of the processing of personal data with the requirements established by law.

Based on the results of internal control or a third-party audit on compliance with personal data legislation, reporting documents (conclusions, reports, acts, memos, recommendations) are drawn up. To eliminate the detected shortcomings, violations and inconsistencies, it is necessary to issue an order, which reflects the responsible persons for the elimination of the detected violations and the timing of their execution.

Recommendations from a third-party data compliance audit organization include:

1. General recommendations for conducting personal data processing activities.
2. Necessary amendments to the existing documents in the field of personal data processing or the formation of the necessary documents in this area, if there were no such documents in the organization.
3. Necessary changes in the personal data protection system, including the protection of information systems through which personal data is processed.
4. Conducting a legal audit of compliance with personal data legislation by a third party allows you to get a qualified opinion from experienced lawyers, which will minimize the adverse consequences in case of violation of the law when processing personal data.

Legal services

1. Advice on the processing of personal data
2. Checking the documents available to the organization for compliance with the legislation in the field of personal data processing
3. Drawing up a report on the conduct of a legal audit of compliance with personal data legislation
4. Preparation of recommendations to eliminate violations of legislation in the field of personal data processing
5. Preparation of necessary documents in the field of personal data processing