DATA PRIVACY POLICY AUDIT PROCEDURES 1. Data Collection and Consent Management Audit Objective Verify that personal data is collected lawfully, transparently, and with proper consent management. Audit Procedures

1. Consent Documentation Review

o Sample consent records from various data collection points o Verify consent language is clear, specific, and comprehensive o Confirm timestamp and method of consent collection is recorded o Check that consent can be withdrawn easily

2. Data Necessity Assessment

o Review data collection forms and systems o Evaluate if all collected data elements are necessary for stated purposes o Verify documentation exists justifying each category of collected data

3. Collection Method Evaluation

o Test each digital collection tool for compliance with stated procedures o Verify privacy notices are displayed at collection points o Confirm data minimization principles are applied

4. Legal Basis Documentation

o For processing without consent, verify documented legal basis exists o Check if contractual necessity or legal obligation is properly recorded o Ensure legal basis is appropriate for the type of data collected

2. Data Storage and Security Audit Objective Confirm that personal data is securely stored and protected against unauthorized access. Audit Procedures

1. Data Classification Verification

o Review data classification schema o Sample datasets to confirm proper classification o Verify security controls match classification levels

2. Access Control Testing

o Test multi-factor authentication systems o Attempt unauthorized access to detect control failures o Review role-based access configurations o Verify terminated employees no longer have access

3. Encryption Implementation Check

o Verify encryption of data at rest using technical tools o Test encryption of data in transit o Confirm encryption key management procedures

4. Security Assessment Review

o Review logs of vulnerability scans and penetration tests o Confirm remediation of identified issues o Verify frequency aligns with policy requirements

5. Access Logging Verification

o Review system logs for data access o Confirm modifications are properly recorded o Test log integrity and retention

3. Third-Party Data Sharing Audit Objective Ensure third parties adhere to same data protection standards when handling Sentinel One Solutions' data. Audit Procedures

1. Vendor Assessment Documentation

o Review vendor assessment records o Verify comprehensive evaluation criteria o Check follow-up on identified issues

2. Contract Review

o Sample SLAs and data processing agreements o Verify inclusion of data protection obligations o Confirm breach notification requirements o Check for compliance with cross-border transfer requirements

3. Third-Party Compliance Verification

o Review evidence of third-party security measures o Check audit reports or certifications provided by vendors o Conduct spot checks of vendor compliance where possible

4. Incident Response Testing

o Simulate third-party breach scenario o Verify notification procedures work as documented o Review historical third-party incidents and response effectiveness

4. Data Retention and Disposal Audit Objective Verify data is not retained longer than necessary and is securely disposed when no longer needed. Audit Procedures

1. Retention Schedule Compliance

o Sample data repositories and compare against retention schedules o Identify data retained beyond retention periods o Verify automated deletion systems function correctly

2. Legal Hold Process

o Review legal hold procedures o Verify data subject to legal holds is properly identified o Confirm legal holds override automatic deletion

3. Disposal Method Verification

o Observe physical document destruction process o Test data wiping software effectiveness o Review disposal logs for completeness

4. Staff Awareness Assessment

o Interview staff about retention requirements o Test knowledge of disposal procedures o Review training materials on retention and disposal

5. Data Subject Rights Handling Audit Objective Confirm processes for data subject rights are effective and compliant. Audit Procedures

1. Request Handling Process Test

o Submit mock data subject requests through all channels o Time response rates against requirements o Evaluate quality and completeness of responses

2. Identity Verification Check

o Review identity verification procedures o Test strength of verification methods o Attempt to bypass verification with limited information

3. Request Documentation Review

o Sample request logs and documentation o Verify all required information is recorded o Confirm actions taken are appropriate to request type

4. Third-Party Notification Test

o For erasure requests, verify notification to third parties o Check documentation of third-party confirmations o Test communication channels to third parties

6. Data Breach Management Audit Objective Ensure breach response procedures are effective and compliant with notification requirements. Audit Procedures

1. Incident Response Simulation

o Conduct tabletop exercise simulating various breach scenarios o Evaluate team response against procedures o Time notification process against regulatory requirements

2. Detection Capability Assessment

o Test breach detection systems with simulated attacks o Review historical incidents for detection time o Evaluate monitoring coverage across systems

3. Documentation Review

o Sample breach records for completeness o Verify root cause analysis was conducted o Check that corrective actions were implemented

4. Notification Process Verification

o Review notification templates for compliance o Verify authority contact information is current o Test notification systems for reliability

7. Roles and Responsibilities Audit Objective Verify clear definition and execution of data protection roles and responsibilities. Audit Procedures

1. Role Definition Review

o Compare job descriptions to policy responsibilities o Verify no gaps in coverage of responsibilities o Check for appropriate segregation of duties

2. Knowledge Assessment

o Interview key personnel about their responsibilities o Test understanding of procedures relevant to their role o Review training records for completeness

3. Authority Verification

o Confirm DPO has necessary independence o Verify escalation paths for privacy concerns o Test reporting structures for potential conflicts

4. Resource Allocation Assessment

o Evaluate if staff have sufficient time allocated to privacy duties o Review budget allocation for privacy initiatives o Check if tools are available to fulfill responsibilities

8. Overall Policy Implementation Audit Objective Assess overall effectiveness and integration of the data privacy policy. Audit Procedures

1. Policy Awareness Testing

o Survey employees on privacy policy knowledge o Conduct random spot checks of procedure adherence o Review training completion rates

2. Documentation System Review

o Verify centralized location for privacy documentation o Check version control and update procedures o Confirm accessibility to relevant staff members

3. Integration Assessment

o Review how privacy controls are integrated into business processes o Verify privacy by design practices in new initiatives o Check for privacy impact assessments on recent projects

4. Compliance Monitoring Review

o Assess effectiveness of ongoing compliance monitoring o Review metrics used to measure privacy program success o Verify corrective action tracking from previous audits

Please provide at least two audit-follow-up recommendations for your audited policies and procedures.