What to Do When the Privacy Regulator Comes Knocking on Your Door? A Short Guide to Handling Inspections and Data Protection Audits in Europe

Inspections and data protection audits from regulators are on the rise across Europe, and this trend is likely to continue. The latest figures for 2012 show that the French data protection authority (Commission Nationale de l’Informatique et des Liberte´s or CNIL) completed 458 inspections, a 19 percent increase from 2011. The number of inspections has been steadily rising since 2004, when CNIL’s enforcement powers—and later on, its budget—were significantly increased. The Bavarian data protection authority conducted 13,404 off-site audits and 20 on-site inspections in 2012, compared to 50 off-site audits and 12 on-site inspections during the previous year. Perhaps not surprisingly, the number of sanctions imposed has quadrupled over the last five years. The Polish Inspector General for the Protection of Personal Data(GIODO) conducted 199 inspections in 2011, and the U.K.’s Information Commissioner’s Office (ICO) completed 58 audits in 2012/2013, and 42 audits in 2011/2012, compared to only 26 in the previous year.

Companies need be proactive and take steps to dealing with a data protection audit. Any regulatory inspection is a burdensome undertaking, and inspections carry the risk of noncompliance being exposed, sanctions, adverse media attention and damage to reputation. Sometimes noncompliance is only identified after an inspection has been carried out. Even for fully compliant organizations, inspections bring disruption to the conduct of normal business.

Originally published in Privacy & Security Law Report on September 16, 2013.

Please see full alert below for more information.

LOADING PDF: If there are any problems, click here to download the file.