What you should know about our standard on data processing audits


What is a processing audit procedure?

A processing audit checks the compliance of processing with the French data protection act. The procedure describes the various stages and processes according to which such an audit must be prepared, implemented and finalised. It also includes requirements relative to the organisation performing the audit, and the auditors themselves.

Can I request a privacy seal from the CNIL for my organisation's processing audit procedure?

Yes, the CNIL's privacy seal can be issued for processing audit procedures implemented by service providers (consulting firms, lawyers, etc.,) or by organisations (in this case, we speak of an internal audit).

Can I obtain a privacy seal from the CNIL for the data carried out processing by my company?

No, the processing audit privacy seal delivered by the CNIL does not directly apply to processing  carried out. It applies to the audit procedure which is used to check that these processing are compliant with the French data protection act.

Does the approach for compliance with the French data protection act (EM 01) require the designation of a Personal Data Protection Officer?

This requirement aims to check that the applicant organisation does have an internal policy on the management of personal data and a reference person for these questions (who may or may not be the Personal Data Protection Officer).

Are internships taken into account in calculating the minimum professional experience required in order to be auditors?

Internships, if they are significant, may be counted towards the required professional experience of at least five years, and only within the limit of one year.

How is it possible to prove that the auditors have the minimum experience required by the requirements EM03 to EM06 (five years / 20 hours of training in the audit methodology / two audits from their initiation to their closure / 20 days of auditing)?

It is possible to prove the minimum experience required for each auditor using job descriptions, descriptions of procedures, a formal undertaking from auditors,…

What is meant by "legal auditor" (EM11)?

This is an auditor with legal expertise supported by at least a degree at the Master I level.

What is meant by "technical auditor" (EM13)?

A technical auditor is one who has technical expertise, supported by a degree at the Master I level in Information Systems or IT.

 Some equivalents or validations of acquired experience may be put forward, such as the "27001 lead auditor" certification.

Can I request a privacy seal for an audit that is legal only?

No, the CNIL’s privacy seal is delivered to legal and technical audits. Consequently, if one of these skills does not exist internally, it is possible to either subcontract a part of the audit or request a privacy seal jointly with another organisation.

What does the CNIL mean by the "premises of the auditee" (EM22 and EM32)?

"Premises of the auditee" means the "premises of the audited service".

What is the difference between consultation of the documentation in the premises of the auditee (EM 22) and the consultation of evidence within the premises of the auditee (EM 32)?

EM22 concerns the consultation of all documents used in the audit, while EM32 concerns only the consultation of data collected as "evidence" (meaning records, statements of fact or other information related to procedures and which are verifiable; not all documents are evidence).

What is the difference between the determination of the relevant, appropriate and non-excessive character of data (EC 15) and the evaluation of the necessity of data collected with regard to the intended purpose (EC 16)?

EC 15 specifies the analysis of the relevance of data as provided for by article 6 of the Act, while EC 16 goes further in analysing the benefit (beyond relevance) of retaining this data with the aim, where applicable, of proposing full or partial anonymisation.

What is the difference between the verification of data retention periods (EC 26) and verification of the actual deletion of data (EC 27)?

EC 26 is intended to ensure that the specified retention periods are complied with (for example by a query on the database), while EC 27 must enable a check to be made on the deletion method used (automatic or manual).

What does the CNIL mean by "approach implemented by the data controllers to ensure the confidentiality, integrity and availability of data" as specified by requirements EC 29?

The spirit of the EC 29 is to study the approach taken by the data controller (risk analysis, listing rules and best practices…) and not the actual security of processing. The auditor must therefore check that the security put in place arises from a genuine study by the data controller.