This document is an audit checklist for assessing compliance with NDPR data protection and privacy requirements. It contains over 30 audit requirements related to how data is collected, processed, secured and the rights of data subjects. Key areas covered include having a privacy policy, obtaining and managing consent, implementing security measures, providing access and deletion rights to data subjects, and protections for transferring data to other countries. The audit found that most requirements were met or partially met, but some areas need improvement such as documenting processes for remedying privacy policy violations or restricting excessively unfounded requests.
This document is an audit checklist for assessing compliance with NDPR data protection and privacy requirements. It contains over 30 audit requirements related to how data is collected, processed, secured and the rights of data subjects. Key areas covered include having a privacy policy, obtaining and managing consent, implementing security measures, providing access and deletion rights to data subjects, and protections for transferring data to other countries. The audit found that most requirements were met or partially met, but some areas need improvement such as documenting processes for remedying privacy policy violations or restricting excessively unfounded requests.
This document is an audit checklist for assessing compliance with NDPR data protection and privacy requirements. It contains over 30 audit requirements related to how data is collected, processed, secured and the rights of data subjects. Key areas covered include having a privacy policy, obtaining and managing consent, implementing security measures, providing access and deletion rights to data subjects, and protections for transferring data to other countries. The audit found that most requirements were met or partially met, but some areas need improvement such as documenting processes for remedying privacy policy violations or restricting excessively unfounded requests.
This document is an audit checklist for assessing compliance with NDPR data protection and privacy requirements. It contains over 30 audit requirements related to how data is collected, processed, secured and the rights of data subjects. Key areas covered include having a privacy policy, obtaining and managing consent, implementing security measures, providing access and deletion rights to data subjects, and protections for transferring data to other countries. The audit found that most requirements were met or partially met, but some areas need improvement such as documenting processes for remedying privacy policy violations or restricting excessively unfounded requests.
1 Has a data protection and privacy policy been documented and In place Privacy policy exists and is published on all the published to data subjects bank’s platforms 2.1 How is data collected In place SOP How is collected data processed In place SOP Is data processed in line with consent given by data subject In place SOP Is there a documented outline stating how collected data is to be In place SOP processed What control is in place to ensure that data are not transferred In place Administrative controls exist, Code of conduct Has data retention period be defined and documented In place Policy exists What is the control in place to guard against data theft, In place Encryption, firewall protection, SOC center, cybersecurity attack, data manipulations, viral attack, natural Symantec Antivirus, security tools etc. disaster etc. Has affirmation been made on the regulation by anyone entrusted In place Administrative controls exist, Code of conduct with personal data of a data subject 2.2 Has the lawful basis for processing data been identified and In place Privacy policy documented Has the consent of the data subject been sought before processing Ongoing Consents being received by ISG. his/her personal data Verify that records are not kept for processing without data subject In place All records kept are currently in line with Privacy consent policy 2.3 Verify that data subject is made aware of the specific purpose for In place Privacy policy collection of data How is consent collected based on the lawful processes In place Privacy policy How is data subject consent recorded and can it be easily retrieved In place Consent collection database is in place in plain format S/N Audit Requirement Status Comments Verify that data subject has been informed of the right and method In place Privacy policy to withdraw consent at any given time Verify that processes are in place to review, refresh and monitor In place Process is in place consent 2.4 What process is in place to ensure consent is not sought, accepted In place Privacy policy states that in Use of Your Personal or given in any circumstance that engenders propagation of Information - complying with legal obligations atrocities, hate, child rights violation, criminal acts and antisocial conducts What process is in place to ensure third party do not violate the data In place Policies have been shared with third parties that principles process data 2.5 Verify that any medium used to collect or process personal data Not in place ISG may include web site link for Terms and displays a simple and conspicuous privacy policy that the class of Conditions Data Subject being targeted can understand Verify that the privacy policy contains the following: what constitutes the Data Subject’s consent; In place Contained in the Privacy policy description of collectable personal information; In place Contained in the Privacy policy purpose of collection of Personal Data; In place Contained in the Privacy policy technical methods used to collect and store personal information, In place Contained in the Privacy policy cookies, JWT, web tokens etc.; access (if any) of third parties to Personal Data and purpose of In place Contained in the Privacy policy access; a highlight of the principles stated in Part 2; In place Contained in the Privacy policy Not in place available remedies in the event of violation of the privacy policy; Not seen in Privacy policy the time frame for remedy; and Not in place Not seen in Privacy policy 2.6 Verify that security measures to protect data had been implemented. This includes; protecting systems from hackers In place Security tools at the SOC center setting up firewalls In place Firewalls exist on the network S/N Audit Requirement Status Comments storing data securely with access to specific authorized individuals In place Access Control mechanisms exist which limits access to specific authorized individuals employing data encryption technologies In place Data encryption/Hashing exists - transit and storage developing organizational policy for handling Personal Data (and In place Data protection policy other sensitive or confidential data) protection of emailing systems and continuous capacity building In place Security awareness trainings for staff 2.7 Verify that a list of third parties has been documented In place List of third parties in place Verify that contracts containing data protection agreements are Not in place Data protection agreement not included in SLAs with maintained with third parties that process subject data - SLAs third party 2.8 Verify that data subject is expressly and manifestly offered the In place Privacy policy mechanism for objection to any form of data processing free 2.11 Verify that the approval of the Honorable Attorney General of the This will be This will be handled by the DPCO Federation is sought for transfer of subject data to a foreign country done by the or the following is provided to NITDA in the audit report DPCO 3.1 Verify that appropriate measures are in place to provide any In place Process is in place information relating to processing to the Data Subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, and for any information relating to a child. Has the means to provide the information been identified and In place Process is in place documented e.g. in writing, electronic etc. Verify that data subject is notified without delay within at least one In place Process is in place month If the Controller does not act on the request of the Data Subject Verify that the parameters that amount to manifestly unfounded or Not in place No parameters documented excessive character of the request have been documented and agreed with the data subject S/N Audit Requirement Status Comments Where data subject request is rejected, verify written letter to the In place Process is in place to inform data subjects and Data Subject stating refusal act on the request and the Agency is agency when a request is rejected copied on every such occasion through a dedicated channel Verify that the Data Subject has the right to request the Controller to In place Process to delete data subject’s personal data in delete Personal Data without delay, and the Controller shall delete place Personal Data where one of the following grounds applies: Verify that the right to delete personal data has been communicated In place Rights communicated in privacy policy to data subject Verify that a process is in place to delete publicly displayed data and Not in place No process identified to inform other controllers Verify that a process is in place for the Data Subject to have the right In place Mails can be sent through touchpoints to obtain from the Controller restriction of processing Verify that Controller communicates any rectification or erasure of Not in place No process identified Personal Data or restriction to each recipient to whom the Personal Data have been disclosed, unless this proves impossible or involves disproportionate effort and verify that the controller is able to inform the Data Subject about those recipients if the Data Subject requests it. Verify that The Data Subject has the right to receive the Personal In place Statements and details of account can be provided Data concerning him or her, which he or she has provided to a to data subjects upon request controller, in a structured, commonly used and machine-readable format, and have the right to transmit those data to another controller without hindrance from the controller to which the Personal Data have been provided, 4.1 Verify that the data protection policies have been made public In place Data protection policies in place on the bank’s website Verify that a Data Protection Officer has been designated Not in place DPO has not been officially appointed Verify that the capacity building is ongoing for the DPO and In place Training and capacity building is ongoing for all such personnel in any form of data processing personnel S/N Audit Requirement Status Comments 3.1 Verify that Prior to collecting Personal Data from a Data Subject, the Partially in place Contact details of the Data Protection Officer not Data Subject is provided with all the following information: provided to Data Subject the identity and the contact details of the Controller; the contact details of the Data Protection Officer; the purpose(s) of the processing for which the Personal Data are intended as well as the legal basis for the processing; the legitimate interests pursued by the Controller or by a third party; the recipients or categories of recipients of the Personal Data, if any; where applicable, the fact that the Controller intends to transfer Personal Data to a third country or international organization and the existence or absence of an adequacy decision by The Agency; the period for which the Personal Data will be stored, or if that is not possible, the criteria used to determine that period; the existence of the right to request from the Controller access to and rectification or erasure of Personal Data or restriction of processing concerning the Data Subject or to object to processing as well as the right to Data Portability; the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal; the right to lodge a complaint with a relevant authority; whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the Data Subject is obliged to provide the Personal Data and of the possible consequences of failure to provide such data; the existence of automated decision-making, including profiling and, at least, in those cases, meaningful information about the logic involved, as well as the significance and the envisaged S/N Audit Requirement Status Comments consequences of such processing for the Data Subject; Where the Controller intends to further process the Personal Data for a purpose other than that for which the Personal Data were collected, the controller shall provide the Data Subject prior to that further processing with information on that other purpose, and with any relevant further information; and Where applicable, that the Controller intends to transfer Personal Data to a recipient in a foreign country or international organization and the existence or absence of an adequacy decision by The Agency.