Implementation Year: Addressing Gaps and Building Capacity
Year 2 focuses on addressing gaps identified in your first audit, implementing staff training programmes, and strengthening your data protection controls based on lessons learned from Year 1.
The NDPC expects to see measurable improvement in your compliance posture from Year 1 to Year 2. Your second CAR should demonstrate that you have actively addressed the gaps and recommendations identified in your first audit.
Year 2 Compliance Priorities
Remediate Year 1 Findings
Review your Year 1 CAR findings and implement corrective actions. Document all remediation efforts and maintain evidence of improvements made. This demonstrates good faith compliance efforts to the NDPC.
Staff Training Programme
Implement comprehensive data protection training for all staff. Training should cover data protection principles, recognising personal data, data subject rights, breach reporting procedures, and role-specific responsibilities.
Review and Update Policies
Review policies created in Year 1 based on operational experience. Update procedures that proved impractical and ensure policies reflect actual practices. Add any missing policies identified during the first audit.
Strengthen Technical Controls
Implement or enhance technical measures including access controls, encryption, audit logging, and data backup procedures. Ensure systems align with the security requirements of Section 39 of the NDP Act.
Test Breach Response Procedures
Conduct a tabletop exercise or simulation to test your data breach response plan. Ensure staff know their roles and the 72-hour notification requirement to the NDPC under Section 40 of the NDP Act.
Year 2 Success Metrics
Your Year 2 CAR should demonstrate: closure of Year 1 findings, documented training completion, updated policies, and improved technical controls. The NDPC looks for evidence of a maturing compliance programme.