CHECKLISTS

Question 1

What should be reviewed regarding the data subject’s right to privacy?

Answer 1

1. Regularly conduct privacy impact assessments,
2. implement privacy by design in all new products,
3. ensure data subject rights are accessible and easily exercised,
4. establish and maintain privacy policies that are communicated to all stakeholders, and
5. secure personal data using encryption and other security measures.1

Question 2

How can you ensure data processing is lawful, fair, and transparent?

Answer 2

1. Ensure processing is done on lawful grounds (e.g., consent or legitimate interest).
2. Ensure privacy notices are clear, concise, and accessible.
3. Regularly update privacy policies to reflect current practices.
4. Train employees on lawful and ethical handling of personal data.
5. Maintain records of all data processing activities for transparency.12

Question 3

What steps ensure compliance with the principle of purpose limitation?

Answer 3

1. Clearly define and document the purpose for collecting personal data.
2. Process data only for the intended purpose or obtain consent for any changes.
3. Regularly review data processing to ensure compliance with the stated purpose.
4. Inform data subjects of any changes in purpose.23

Question 4

How can an organization demonstrate adherence to the principle of data minimization?

Answer 4

1. Collect only the data necessary for the intended purpose.
2. Regularly review and update data collection practices to avoid excessive data gathering.
3. Implement tools to reduce or anonymize data where possible.
4. Limit access to personal data to authorized personnel.4

Question 5

What considerations are important when collecting family details?

Answer 5

1. Communicate clearly why family details are needed.
2. Ensure the collection reason is relevant and lawful.
3. Obtain consent if family information is not directly related to the individual.
4. Document how family data is processed, stored, and secured.4

Question 6

How do you ensure the accuracy of personal data throughout its lifecycle?

Answer 6

1. Implement processes to maintain accurate and up-to-date data.
2. Enable data subjects to review and correct their information.
3. Conduct regular audits to check data accuracy.
4. Correct or delete inaccurate or outdated data immediately upon discovery.5

Question 7

What measures should be in place to comply with storage limitations?

Answer 7

1. Establish data retention policies.
2. Do not store data longer than necessary.
3. Implement automated tools for deletion or archiving after the retention period.
4. Regularly review data storage practices for obsolete data.
5. Securely delete or anonymize unneeded personal data.6

Question 8

What are the key points to check when auditing consent as a lawful basis for processing?

Answer 8

1. Confirm data subjects provided clear, explicit consent.
2. Ensure consent requests are specific, informed, and unambiguous.
3. Maintain records of how and when consent was obtained.
4. Offer an easy way for data subjects to withdraw consent.
5. Regularly review and refresh consent, especially for ongoing processing.7

Question 9

What aspects should be examined when auditing data processing based on the performance of a contract?

Answer 9

Verify processing is necessary to fulfill contractual obligations to the data subject. Document the contractual terms justifying data processing. Ensure processing relates only to contract requirements. Communicate clearly with data subjects about how their data is used regarding the contract. Document requests for pre-contractual steps and how data is processed.8

Question 10

What factors should be considered when auditing data processing under the legal obligation basis?

Answer 10

Identify the specific legal obligation necessitating data processing. Ensure processing is necessary for compliance. Document the relevant laws or regulations. Clearly communicate to data subjects why their data is processed to meet legal requirements. Regularly review processing to ensure ongoing compliance.9

Question 11

What points should be verified when auditing processing based on vital interests?

Answer 11

Confirm processing is necessary to protect the life or physical integrity of the data subject or another person. Document situations where vital interests justify processing (e.g., emergencies). Limit processing to what’s strictly necessary to protect vital interests. Consider less intrusive methods before relying on this basis. Communicate transparently with the data subject, if possible, especially after the event.10

Question 12

What should an audit focus on when processing is based on public interest or official authority?

Answer 12

Confirm processing is necessary for a task in the public interest or as part of official authority. Document the public interest or legal mandate. Ensure processing is proportionate and strictly necessary for public interest tasks. Keep records of official authority or public mandate for transparency. Communicate with data subjects how their data will be processed under this basis.11

Question 13

When auditing data processing related to tasks of a public authority, what should be reviewed?

Answer 13

Ensure processing is carried out by or on behalf of a public authority. Confirm processing is necessary for the specific public authority task. Document the public authority task justifying processing. Consider data subject rights and ensure processing doesn’t infringe upon them unnecessarily. Ensure transparency about how the data subject’s data is used for public authority tasks.12

Question 14

What are the key considerations when auditing data processing based on functions of a public nature?

Answer 14

Confirm processing is necessary for performing a function in the public interest. Document the function of a public nature justifying processing. Review the extent to which processing is necessary and proportionate to the public function. Communicate with the data subject about the public nature of the processing. Ensure data subjects are informed about the reasons for processing and the public benefit.13

Question 15

How should an audit approach data processing justified by legitimate interests?

Answer 15

Verify a Legitimate Interests Assessment (LIA) was conducted. Confirm a balance between the data controller’s legitimate interests and data subject rights and freedoms. Ensure the legitimate interest and LIA outcomes are documented. Communicate to data subjects that processing is based on legitimate interests and allow objections. Ensure processing doesn’t cause unwarranted harm or prejudice to the data subject.14

Question 16

What considerations are relevant when auditing data processing for research or artistic purposes?

Answer 16

Confirm processing is for historical, statistical, journalistic, literary, artistic, or scientific research. Ensure safeguards are in place to protect data subject rights (e.g., anonymization or pseudonymization). Review whether the data is necessary for research or artistic purposes. Document the research or project objectives justifying processing. Where possible, obtain consent or communicate clearly about the data’s use for these purposes.15

Question 17

What should an audit verify regarding further processing of data?

Answer 17

Confirm any further processing aligns with the original purpose for which the data was collected. Document reasons for further processing and how they align with the original purpose. Obtain fresh consent or assess another lawful basis if the purpose changes. Communicate with the data subject about any further processing for new purposes.16

Question 18

What should be assessed when a child’s data is being processed?

Answer 18

Verify that verifiable consent was obtained from the child’s parent or guardian. Ensure a record of parental/guardian consent is kept, including how and when it was obtained. Confirm the processing protects and advances the child’s rights and best interests. Provide parents or guardians with clear information about how their child’s data will be processed. Regularly review consent to ensure continued validity, especially if the child reaches the age of majority.17

Question 19

What is important to check when auditing age verification and consent mechanisms for children’s data?

Answer 19

Ensure appropriate mechanisms are in place for verifying the child’s age. Verify that consent comes from the parent or guardian. Confirm the verification methods are appropriate based on the service and the data processed. Ensure regular assessment and updates to age verification mechanisms to keep up with technological developments.18

Question 20

What factors should be considered when determining age verification mechanisms for children?

Answer 20

Ensure mechanisms utilize the most suitable technology for age verification and consent gathering. Ensure scalability to handle large data volumes. Assess the likelihood of processing children’s data and tailor mechanisms accordingly. Consider and mitigate potential risks to the child, such as privacy breaches or inappropriate exposure. Stay updated on any further requirements issued by the Data Commissioner.19

Question 21

What should be reviewed when parental consent is not required for counselling or child protection services?

Answer 21

Assess whether processing is exclusively for counselling or child protection services. Document why parental consent is not required under this exemption. Implement strict confidentiality measures.20

Question 22

What should be checked when someone claims to act on behalf of a data subject?

Answer 22

Ensure they have proper authorization (e.g., power of attorney or legal documentation). Verify their identity. Keep records of the authorization and verification process.21

Question 23

When auditing data processing relating to children, what are the special requirements to consider?

Answer 23

Implement procedures to verify a parent or guardian is appropriately identified when exercising a child’s rights. Ensure children are not subjected to profiling for direct marketing. This includes implementing technological and procedural barriers to prevent such activities. Communicate the potential risks of processing the child’s personal data to the parent or guardian, as well as the safeguards in place to protect the child.22

Question 24

What procedures should be in place when there’s uncertainty about the relationship between a person claiming to act

Answer 24

If there is uncertainty about the relationship between the authorized person and the data subject, temporarily restrict requests to exercise the child’s rights until satisfactory evidence is provided. Document all actions taken during verification. Keep records of any interactions regarding clarifying the relationship. Implement policies to notify the authorized person and the child (if applicable) of any restrictions and the reasons for those restrictions.23

Question 25

What aspects of commercial use of personal data should be audited?

Answer 25

Ensure express consent is obtained before using personal data for commercial purposes. Clearly communicate the intended commercial use at the point of collection. Maintain records of consent provided, including how and when it was obtained. Guarantee consent is specific, informed, and freely given, with an easy withdrawal option. If processing is allowed under written law, inform the data subject of this legal basis. Document the legal authorization for processing. Clearly communicate how and why personal data will be used for commercial purposes in compliance with the law.2425

Question 26

What should be reviewed when personal data is anonymized for commercial use?

Answer 26

Check if anonymization is used where possible to ensure the data subject is no longer identifiable. Confirm the use of effective anonymization techniques (e.g., data aggregation, encryption, or masking) to protect identity. Verify regular reviews of anonymization processes to ensure continued effectiveness and compliance with data protection standards.26

Question 27

What should be audited regarding the opt-out message for direct marketing?

Answer 27

The opt-out message must be visible and clearly explain how to opt-out. The message should use simple, easy-to-understand language, avoiding technical jargon or complex explanations.27

Question 28

What are the key considerations when reviewing the opt-out process for direct marketing?

Answer 28

Ensure it is quick and easy, requiring minimal time and effort from the data subject. The process should be completable in a few steps without complicated procedures. Avoid unnecessary obstacles, like excessive form-filling or multiple confirmations.28

Question 29

What is important to verify when checking the communication channel for the opt-out process?

Answer 29

A direct and easily accessible communication channel (e.g., email, phone, or online form) should be provided for opting out. The channel must be reliable, functional, and regularly tested to ensure proper operation.29

Question 30

What are the cost considerations when auditing the opt-out process for direct marketing?

Answer 30

The opt-out process should be free of charge. If any necessary charges apply, they should be nominal and not discourage opting out. Any costs involved, and their justification, should be communicated clearly.30

Question 31

How do you assess the accessibility of the opt-out mechanism for persons with disabilities?

Answer 31

The opt-out mechanism should be accessible to persons with disabilities using appropriate assistive technology. Alternative options (e.g., phone-based opt-out) must be available for those unable to access digital or online mechanisms. Regular reviews of accessibility should be conducted to ensure compliance with accessibility standards.31

Question 32

How can you confirm an organization ceases using personal data for direct marketing after an opt-out?

Answer 32

Personal data use for direct marketing must stop immediately after an opt-out. Records of opt-out requests should be maintained, ensuring no further marketing communication is sent. All systems and third parties handling the data must be updated promptly with the opt-out information.32

Question 33

What should be reviewed when auditing a data subject’s right to restrict personal data use for direct marketing?

Answer 33

Data subjects should be allowed to request restriction of their data use or disclosure to third parties for direct marketing. A clear process for making restriction requests must be available. The restriction request should be easy to submit, with no barriers to exercising this right.33

Question 34

What should an audit confirm regarding fees for restriction requests related to direct marketing?

Answer 34

Data subjects should not be charged any fees for submitting restriction requests related to direct marketing. Clear communication is necessary stating that no fees will be charged for making or executing such requests.34

Question 35

What should be checked when auditing the implementation time for restrictions on direct marketing data use?

Answer 35

Ensure all restriction requests are actioned within seven days of receipt. Internal systems must be updated, and third parties informed that the data subject’s data must no longer be used for direct marketing. Records of all restriction requests and actions taken to comply within the timeframe should be maintained.35

Question 36

How can you ensure compliance with the right to be informed during data collection?

Answer 36

Data subjects should be provided with clear, accessible information about why their data is being collected, how it will be used, and who it might be shared with. Details about data subject rights and how to exercise them should be included. Records of notifications provided (e.g., privacy notices or consent forms) must be maintained. Data subjects should be informed about any changes to the purpose of processing or data sharing arrangements. Multiple communication channels (e.g., email, in-app notices) should be used for notifications.36

Question 37

When auditing the right to access, what should be reviewed?

Answer 37

Verify proof of identity is required before fulfilling access requests. Clarify the request by asking the data subject to specify what personal data they wish to access. Ensure access is provided within seven days of the request, in a clear and accessible format, free of charge. Maintain records of access requests and responses, including the identification process and data provided.37

Question 38

What steps should be audited regarding the right to restrict processing?

Answer 38

Verify the requestor’s identity. Clarify the scope of the restriction by asking the data subject to specify what data processing activities they wish to restrict. Implement technical and organizational measures to restrict the specified processing activities. Document the restrictions and ensure they are communicated to relevant staff and third parties. Inform the data subject that the restriction has been applied and how long it will last.38

Question 39

What should be reviewed when auditing the right to object to processing?

Answer 39

Verify the requestor’s identity. Clarify the objection by asking the data subject to explain the grounds for their objection. Evaluate the objection and determine if processing can continue based on legitimate grounds. If the objection is valid, stop processing immediately and notify the data subject. Maintain records of objections raised and how they were handled.39

Question 40

What should be examined when auditing the right to rectification?

Answer 40

Verify the requestor’s identity. Clarify the request by asking the data subject to specify the inaccurate data and the necessary corrections. Rectify inaccurate and incomplete data promptly, updating all relevant systems and databases. Notify third parties if the incorrect data was shared with them. Maintain records of rectification requests and actions taken.40

Question 41

What should be considered when auditing the right to erasure?

Answer 41

Verify the requestor’s identity. Have the data subject clarify which personal data they want erased and the reason for their request. Assess whether the request meets the legal grounds for erasure. Erase the data from all systems and ensure that any third parties with whom the data was shared are also notified to erase it. Inform the data subject that their data has been erased. Keep detailed records of erasure requests and steps taken to comply.41

Question 42

What are the key points to check when auditing the right to data portability?

Answer 42

Verify the requestor’s identity. Clarify the request by asking the data subject to specify what data they want to port and to which third party (if applicable). Export the data in a commonly used and machine-readable format (e.g., CSV, XML). Ensure the transfer is secure and completed within the statutory time period. Inform the data subject once the data has been ported.42

Question 43

What are the key considerations when auditing the right not to be subjected to automated decision-making?

Answer 43

Inform data subjects if their personal data will be used for automated decision-making, including profiling. Offer a process for data subjects to request human intervention in decisions made through automated processing. Verify the data subject’s identity before fulfilling their requests to challenge automated decisions. Maintain records of all objections and interventions related to automated decision-making.43

Question 44

What general aspects of data subject rights should be included in the audit?

Answer 44

Always verify the identity of the person making the request to protect against fraudulent requests. Request clear and specific details when a data subject makes a request (e.g., what data they want to access or correct). Develop online portals or forms to help data subjects easily exercise their rights. Train employees on how to handle data subject requests efficiently and legally. Maintain detailed records of all requests and actions taken. Ensure all requests are fulfilled within the legal timeframe, usually within 7 days, to avoid non-compliance. Notify third parties when relevant about rectifications, erasure, or other actions taken at the request of the data subject.4445

Question 45

What should be checked regarding the transfer of personal data outside Kenya?

Answer 45

Ensure proof of appropriate safeguards is provided to the Data Commissioner. Confirm that robust security measures, data protection policies, and legal compliance with the destination country’s data protection laws are in place. The transfer should be necessary for specific conditions such as the performance of a contract, the protection of vital interests, legal claims, public interest, or legitimate interests. All conditions and safeguards should be documented and regularly reviewed.46474849…

Question 46

What are the essential elements to audit when assessing a data breach response?

Answer 46

Immediate identification and containment of the breach. Thorough risk and impact assessment, including the severity and scope of the breach. Prompt notification of relevant parties such as the Data Commissioner, affected data subjects, and other stakeholders. Effective mitigation and recovery strategies, including corrective measures and support for affected individuals. Comprehensive post-breach review, including a thorough investigation, documentation, and reporting to senior management. Review and improvement of security measures, including updating protocols and training employees. Maintenance of a data breach register with detailed records.54555657…