NDPR AUDIT CHECKLIST

 S/N Audit Requirement Status Comments

1 Has a data protection and privacy policy been documented and In place Privacy policy exists and is published on all the
published to data subjects bank’s platforms
2.1 How is data collected In place SOP
  How is collected data processed In place SOP
  Is data processed in line with consent given by data subject In place SOP
  Is there a documented outline stating how collected data is to be In place SOP
  processed
  What control is in place to ensure that data are not transferred  In place Administrative controls exist, Code of conduct
  Has data retention period be defined and documented  In place Policy exists
  What is the control in place to guard against data theft,  In place Encryption, firewall protection, SOC center,
cybersecurity attack, data manipulations, viral attack, natural Symantec Antivirus, security tools etc.
disaster etc.
Has affirmation been made on the regulation by anyone entrusted  In place Administrative controls exist, Code of conduct
with personal data of a data subject
2.2 Has the lawful basis for processing data been identified and  In place Privacy policy
  documented
  Has the consent of the data subject been sought before processing  Ongoing Consents being received by ISG.
his/her personal data
Verify that records are not kept for processing without data subject  In place All records kept are currently in line with Privacy
consent policy
2.3 Verify that data subject is made aware of the specific purpose for  In place Privacy policy
  collection of data
  How is consent collected based on the lawful processes  In place Privacy policy
  How is data subject consent recorded and can it be easily retrieved  In place Consent collection database is in place
  in plain format
 S/N Audit Requirement Status Comments
Verify that data subject has been informed of the right and method  In place Privacy policy
to withdraw consent at any given time
Verify that processes are in place to review, refresh and monitor  In place Process is in place
consent
2.4 What process is in place to ensure consent is not sought, accepted In place Privacy policy states that in Use of Your Personal
  or given in any circumstance that engenders propagation of Information - complying with legal obligations
atrocities, hate, child rights violation, criminal acts and antisocial
conducts
What process is in place to ensure third party do not violate the data  In place Policies have been shared with third parties that
principles process data
2.5 Verify that any medium used to collect or process personal data Not in place ISG may include web site link for Terms and
  displays a simple and conspicuous privacy policy that the class of Conditions
  Data Subject being targeted can understand
  Verify that the privacy policy contains the following:  
   what constitutes the Data Subject’s consent; In place Contained in the Privacy policy
   description of collectable personal information; In place Contained in the Privacy policy
   purpose of collection of Personal Data; In place Contained in the Privacy policy
   technical methods used to collect and store personal information, In place Contained in the Privacy policy
  cookies, JWT, web tokens etc.;
   access (if any) of third parties to Personal Data and purpose of In place Contained in the Privacy policy
  access;
 a highlight of the principles stated in Part 2; In place Contained in the Privacy policy
 Not in place
available remedies in the event of violation of the privacy policy; Not seen in Privacy policy
 the time frame for remedy; and Not in place Not seen in Privacy policy
2.6 Verify that security measures to protect data had been  
  implemented. This includes;
   protecting systems from hackers In place Security tools at the SOC center
   setting up firewalls In place Firewalls exist on the network
 S/N Audit Requirement Status Comments
   storing data securely with access to specific authorized individuals In place Access Control mechanisms exist which limits access
  to specific authorized individuals
   employing data encryption technologies In place Data encryption/Hashing exists - transit and storage
 developing organizational policy for handling Personal Data (and In place Data protection policy
other sensitive or confidential data)
 protection of emailing systems and continuous capacity building In place Security awareness trainings
for staff
2.7 Verify that a list of third parties has been documented In place List of third parties in place
  Verify that contracts containing data protection agreements are Not in place Data protection agreement not included in SLAs with
maintained with third parties that process subject data - SLAs third party
2.8 Verify that data subject is expressly and manifestly offered the In place Privacy policy
mechanism for objection to any form of data processing free
2.11  Verify that the approval of the Honorable Attorney General of the This will be This will be handled by the DPCO
  Federation is sought for transfer of subject data to a foreign country done by the
or the following is provided to NITDA in the audit report DPCO
3.1 Verify that appropriate measures are in place to provide any  In place Process is in place
  information relating to processing to the Data Subject in a concise,
transparent, intelligible and easily accessible form, using clear and
plain language, and for any information relating to a child.
Has the means to provide the information been identified and In place Process is in place
documented e.g. in writing, electronic etc.
Verify that data subject is notified without delay within at least one In place Process is in place
month If the Controller does not act on the request of the Data
Subject
Verify that the parameters that amount to manifestly unfounded or Not in place No parameters documented
excessive character of the request have been documented and
agreed with the data subject
 S/N Audit Requirement Status Comments
Where data subject request is rejected, verify written letter to the In place Process is in place to inform data subjects and
Data Subject stating refusal act on the request and the Agency is agency when a request is rejected
copied on every such occasion through a dedicated channel
Verify that the Data Subject has the right to request the Controller to In place Process to delete data subject’s personal data in
delete Personal Data without delay, and the Controller shall delete place
Personal Data where one of the following grounds applies:
Verify that the right to delete personal data has been communicated In place Rights communicated in privacy policy
to data subject
Verify that a process is in place to delete publicly displayed data and Not in place No process identified
to inform other controllers
Verify that a process is in place for the Data Subject to have the right In place Mails can be sent through touchpoints
to obtain from the Controller restriction of processing
Verify that Controller communicates any rectification or erasure of Not in place No process identified
Personal Data or restriction to each recipient to whom the Personal
Data have been disclosed, unless this proves impossible or involves
disproportionate effort and verify that the controller is able to
inform the Data Subject about those recipients if the Data Subject
requests it.
Verify that The Data Subject has the right to receive the Personal  In place Statements and details of account can be provided
Data concerning him or her, which he or she has provided to a to data subjects upon request
controller, in a structured, commonly used and machine-readable
format, and have the right to transmit those data to another
controller without hindrance from the controller to which the
Personal Data have been provided,
4.1  Verify that the data protection policies have been made public  In place Data protection policies in place on the bank’s
   website
Verify that a Data Protection Officer has been designated  Not in place DPO has not been officially appointed
Verify that the capacity building is ongoing for the DPO and In place Training and capacity building is ongoing for all such
personnel in any form of data processing personnel
 S/N Audit Requirement Status Comments
3.1 Verify that Prior to collecting Personal Data from a Data Subject, the Partially in place Contact details of the Data Protection Officer not
Data Subject is provided with all the following information: provided to Data Subject
 the identity and the contact details of the Controller;
 the contact details of the Data Protection Officer;
 the purpose(s) of the processing for which the Personal Data are
intended as well as the legal basis for the processing;
 the legitimate interests pursued by the Controller or by a third
party;
 the recipients or categories of recipients of the Personal Data, if
any;
 where applicable, the fact that the Controller intends to transfer
Personal Data to a third country or international organization and
the existence or absence of an adequacy decision by The Agency;
 the period for which the Personal Data will be stored, or if that is
not possible, the criteria used to determine that period;
 the existence of the right to request from the Controller access to
and rectification or erasure of Personal Data or restriction of
processing concerning the Data Subject or to object to processing
as well as the right to Data Portability;
 the existence of the right to withdraw consent at any time, without
affecting the lawfulness of processing based on consent before its
withdrawal;
 the right to lodge a complaint with a relevant authority;
 whether the provision of Personal Data is a statutory or
contractual requirement, or a requirement necessary to enter into
a contract, as well as whether the Data Subject is obliged to
provide the Personal Data and of the possible consequences of
failure to provide such data;
 the existence of automated decision-making, including profiling
and, at least, in those cases, meaningful information about the
logic involved, as well as the significance and the envisaged
 S/N Audit Requirement Status Comments
consequences of such processing for the Data Subject;
 Where the Controller intends to further process the Personal Data
for a purpose other than that for which the Personal Data were
collected, the controller shall provide the Data Subject prior to that
further processing with information on that other purpose, and
with any relevant further information; and
 Where applicable, that the Controller intends to transfer Personal
Data to a recipient in a foreign country or international
organization and the existence or absence of an adequacy decision
by The Agency.