Hi, could you please share experiences from having dealt with supervisory authorities?
I understand details will differ from case to case, but looking to get som input so we can better prepare in case something goes wrong or they do a random visit to us.
For example, what did they ask for and how long did you have to respond? Did they do physical visits or technical audits? Were they pragmatic or helpful, or only looking for error?
Thank you,
/ Concerned
What will supervisory authority ask for?
Share
Barry Moult
Hi. From a health perspective.
2 Things
If there has been a data breach from my experience the supervisory authority( in our case the ICO) will ask for the following:
Policies and procedures
Training (if an individual has been involved have they had training in last 12 months?)
Dependent on the breach will want to see
DPIA
RoPA
Then will ask;
What actions were taken?
What Lessons learnt?
Was Duty of Candour carried out?
The ICO carried out a number of consensual audits in Health Organisations in 2020. From the reports (available on the ICO website) I have pulled all the recommendation from those audits into a spreadsheet (action plan). I’m happy to share.
Chris Roberts
Barry has already provided a great summary. I would add from a UK (ICO) perspective the following.
An ICO Case Officer effectively triages the case based on your response and depending on the issue may escalate the matter to the investigations department. Ensuring you acknowledge their initial communication, in a timely, professional and cooperative manner can go a long way – remember they are looking for evidence that the organisation is taking the matter seriously. If the case does escalate to the investigations team, they will be reviewing all of your past communications.
Have your evidence easily to hand and well organised, evidence thus far from my personal experience, is that the ICO will take this as sign you are in control of the personal data you process. Good luck.