Consulting & Auditing

Privacy Laws & Business has been advising clients on their data protection policies and procedures since its first year in business, in 1987.

Many of these clients are Financial Times UK Top 50 and Fortune USA Top 50 companies, as well as many public sector organisations.

 

“After acting on many of your findings and a few of our own arising from this breach,
we've now heard from the ICO that they are taking no further action on this. Many thanks for your help.”
[An organisation which prefers to remain anonymous!]

 

Consulting

Clients typically want to know what the law says; what the law means for them; what they should do to implement an effective data protection compliance system; and how to build privacy into their corporate or marketing strategies.

In many cases, there is a specific issue which leads to the consultancy project. The Privacy Laws & Business team will address that issue but also explain to the client the other privacy areas which demand attention.

One of the essential themes of Privacy Laws & Business’s approach is the consultants’ ability to think laterally about the issues which the clients present to them. The solution may lie in the application of both legal analysis and advice and more appropriate management techniques.

Privacy Laws & Business consulting projects for major companies have included:

  • Devising effective internal data protection compliance programmes and procedures for multinational companies;
  • Developing a data protection strategy for a multinational company's human resources database and working with management implementing the policy by drafting appropriate letters and policy documents;
  • Advising several USA based companies on the impact of transborder data flow legislation in European countries on the transfer of name-linked data to the USA;
  • Advising on how to integrate data protection principles into a corporate data security manual;
  • Recommending a market strategy to help a company differentiate itself from its competitors by showing its sensitivity to national data protection legal requirements;
  • Advising a company on how data protection laws would affect its direct marketing operations in several countries.


Work for leading public sector organisations in the last five years covers both policy and compliance work and includes:

  • An assessment of the adequacy of privacy laws in many non-European Union countries for the European Commission;
  • Data Protection Act compliance and training work for the UK House of Commons;
  • Policy advice for the UK’s Home Office on Access to communications data – respecting privacy and protecting the public from crime.

One-day Health Check Audit

To prepare for an ICO audit, or just to ensure that your data protection compliance programme is on track, PL&B offers a cost-effective one-day audit.

Organisations may choose the areas which they would like to have audited (e.g. marketing, HR, organisational security, training etc) in one location. A pre-agreed list of issues will ensure that you will get maximum benefit from the day. Our auditor will spend one day on site and provide you with a report.

To find out more, contact Stewart Dresner, stewart.dresner@privacylaws.com, tel: 020 8868 9200. 

Auditing

Privacy Laws & Business’s work on auditing began with a series of workshops in 1997 on how to apply ISO 9000 quality assurance principles to auditing for data protection law compliance. This experience led to the company winning the contract to prepare the Data Protection Auditing Manual for the UK’s Information Commissioner.

The Data Protection Auditing Manual, published in July 2001, develops auditing procedures aimed at assessing organisations’ compliance with the UK Data Protection Act 1998. The aim of the project was to prepare an Audit Manual which was used by the Commissioner when carrying out his audit functions, and also by organisations wishing to check their own data protection compliance.

This contract has direct relevance to many consulting projects, as techniques developed and lessons learned are applied to a client’s business. Although the questionnaires and audit checklists are based on the UK law, the methodology will work successfully with any country’s law and clients’ processing of personal data within this legal framework.

Our auditing services include:

  • Gap analyses for clients without data protection systems
  • Data protection audits for clients with existing systems
  • Global data protection audits for multinational companies
  • Both in-house and public audit training courses in the use of the UK Information Commissioner’s Audit Manual
  • Producing customised auditing questionnaires and checklists for specific processes such as recruitment, marketing and complaint-handling.


Clients’ Audit Projects

Privacy Laws & Business auditors draw on their experience of preparing the Data Protection Auditing Manual for the UK’s Information Commissioner. Privacy Laws & Business has adapted the audit methodology to work successfully with clients’ processing of personal data and other countries’ laws. A typical audit project involves:

  • Risk assessment
  • Developing internal audit schedules and pre-audit questionnaires
  • Holding preparatory meetings
  • Conducting Adequacy Audits by reviewing data protection documentation and compiling Adequacy Audit reports
  • Preparing for Compliance Audits by drawing up Departmental and Process Audit checklists and Audit Plans
  • Conducting on-site Compliance Audits involving Opening Meetings, Functional and Process Audits and Staff Awareness interviews
  • Reporting findings via Compliance Audit Reports and associated Non-compliance Records, Observation Notes and corrective action
  • Conducting Closing Meetings and dealing with Audit Follow-up activities.

    The methodology also has international application:

Accenture used Privacy Laws & Business as its auditor in several countries in Europe, North America and Asia. The auditors assessed the compliance of several of its global processes with its global privacy policy.

The Hong Kong’s Privacy Commissioner for Personal Data used the Privacy Laws & Business audit team to train his staff on how to audit the processes relating to Hong Kong’s new electronic identity card for compliance with Hong Kong’s law. They now have a standard audit methodology, which they can use with confidence in other areas.

Contact the Privacy Laws & Business office to discuss your consulting or auditing requirements.