Transcript of interview with DPO

Auditor: Thank you for meeting with me today. I’d like to understand your organisation’s data protection strategy and controls. Could you give me an overview of your data privacy policies?

DPO: Absolutely. We have comprehensive data protection policies aligned to regulations like GDPR that outline data subject rights, lawful processing, consent requirements and more.

Auditor: Great start. How do you perform data discovery and classification?

DPO: Our data owners classify information assets based on sensitivity. Data maps outline what we collect and process. Anything containing personal data is specially tagged.

Auditor: Excellent. And how is data access controlled?

DPO: Role-based access controls enforced by our IT team. Encryption for data at rest and in transit. Analytics data is anonymised and minimised before use.

Auditor: That covers some key points. I’m here to have a collaborative discussion on how your DPO program operates. If I identify any areas of non-conformance, I’ll discuss with you first to clarify and work out recommendations before finalising audit findings. Does that align with your expectations?

DPO: Absolutely, I appreciate you taking that approach! I’m sure we’ll have an open and beneficial dialogue about our data policies and find ways to strengthen our program. Shall we move on to retention and disposal next?

Auditor: Yes, that would be great. How do you manage data retention and secure destruction?

DPO: We have defined retention schedules based on legal and business needs. Disposal procedures like shredding for physical data and wiping for digital assets are enforced…

Auditor: How do you perform privacy impact assessments for new initiatives involving personal data?

DPO: Our PIA process evaluates risks early in projects, recommends controls, documents decisions, and obtains approvals before launch.

Auditor: What is your approach for performing security risk assessments focused on data protection?

DPO: Our infosec team partners with me to do annual DPIAs analysing threats, evaluating controls, and mitigating high risks to sensitive data.

Auditor: How do you ensure any data processors or third parties comply with your data policies?

DPO: Contracts mandate compliance to our standards. Vendors complete security assessments providing evidence of compliance which is validated by audit.

Auditor: Could you explain your data breach response plan and how it is regularly tested?

DPO: Our incident response plan has specific steps for breaches including notification timelines. We test annually with breach simulation exercises across teams.

Auditor: What privacy and security training and awareness exists for employees?

DPO: New hires are trained on data policies. Existing staff retake the course annually. We share reminders on data handling via email, intranet, and presentations.

Auditor: What are the processes if other teams do not cooperate with data protection efforts?

DPO: I engage directly with responsible executives to escalate roadblocks. Demonstrating regulatory risk exposure, financial impacts, and reputation harms helps motivate compliance. As a last resort, formal warnings may be issued recommending employment action.

Auditor: How are data protection responsibilities communicated across business units?

DPO: Our data protection policies outline the requirements per role. I conduct training on proper data handling, legal obligations, and incident reporting. Data owners and line managers are accountable for disseminating and enforcing within their teams.

Auditor: What security collaboration exists with legal/compliance groups?

DPO: We have joint responsibility along with legal for data protection oversight. Our departments review policies and controls together. We also liaise on incident response, regulator interactions, and advice to the business regarding data practices.