Our services - Audit
The audit is a tool for evaluating the effectiveness of your organisation’s data protection management processes in an objective, independent and documented way. It is also the reference tool for demonstrating that, when you entrust services providers with personal data processing operations, they are capable of guaranteeing the security and legitimate use of the data you entrust them with, as well as maintaining the fundamental rights of individuals.
What auditing method do we use?
To achieve its objective, and regardless of its scope, an audit must be conducted methodically and in compliance with ethical principles. The members of our team who undertake audit missions are trained in auditing practices that implement the ISO 19011:2018 guidelines prescribed for auditing management systems.
Our method is based on:
- Obtaining a thorough prior understanding of the organisation’s operations and the business processes included in the compliance process.
- Considering the size, complexity, types of risks and opportunities, and the maturity level of the organisation’s compliance management system to be audited.
- Defining the objectives, scope, and framework on which the audit will be based.
- Procedures for the execution of the audit (interviews, document reviews, on-site audit, remote audit, or a combination of the two).
- A risk-based approach to planning.
- Communication before, during, and after the audit.
- Defining audit deliverables: audit plan, opening, follow-up, and closing, audit report, and reporting of findings to the organisation’s management.
The ethical principles applied are:
- Competence, ethics, honesty, and responsibility
- Impartial feedback
- Professionalism
- Confidentiality
- Independence
- Evidence-based approach
- Risk-based approach
We have experience in conducting internal (first-party) or contractor /vendor (second-party) audits with various scopes and for various sizes or types of organisations, for example: healthcare software editors, healthy volunteer investigation centers, biological resource centers, healthcare data warehouses, international research organizations, biotechnology companies, in France, Europe and the United States.
What are our frameworks of reference?
ISO 27701: This is the reference standard for organisations to achieve in order to implement a data protection or privacy and security management system, deployed by a DPO or by an internal compliance governance committee in the organisation. This standard combines the personal data protection or privacy management system (in a generic way) and the information security management system (ISO 27001).
Your data protection policy: If your organisation has implemented such policy, we take into account the requirements adopted by your organisation within the framework of this policy, as well as the data protection governance controls you have established and the compliance essentials that you have integrated into the requirements of your internal businesses and functions.
A tailored framework: if your organisation is still far from meeting the requirements of a data protection or privacy and security management system according to ISO 27701, we adapt our audit framework to take into account the basic and target maturity level in your organisation for each components of the compliance matrix at that level.
We have integrated the specific requirements of the European GDPR and the Swiss nFADP into the ISO 27701 standard, and plan to integrate other data protection and privacy legislations. We provide our audit services as part of internal or contractor / vendor compliance assessments. We are not accredited to conduct certification audits. However, the internal audit approach can be used to assess your deviations from a certification status and provide a starting point for future certification by an accredited body.
Internal compliance audit
In addition to the main audit framework, we take into account the requirements arising from interactions with other legislations or other standards or soft law frameworks to which your organisation may be subjected or which it has chosen to apply:
For the field of health research, ICH GCP E6 and all applicable legislations, for example:
- The European Regulation on Clinical Trials of Medicinal Products for Human Use (EU 536/2014),
- The European Regulation on Medical Devices (EU 745/2017),
- The Reference Methods (MR) relating to health research of the CNIL in France,
- The ISO 20387:2018 standard relating to biobanking activities,
etc.
For the healthcare sector:
- Applicable healthcare standards: for example, the Health Data Hosting Standard and the Health Standards (RS) of the CNIL in France, the Telemedicine Information Systems Standard, etc.
- Applicable or desired Cyber Security standards: the European NIS2 directive, the UK’s Cyber Essentials, the CNIL’s Data Security Standards in France, etc.
We can help you prepare your audit plan based on your applicable legislative and soft law framework, as well as your specific context. Please do not hesitate to contact us for your tailored needs.
Processor audit
We work upstream with your organisation to:
- Understand your objectives (selection audit, audit for cause, routine audit).
- Analyze the scope and nature of the outsourced personal data processing operations.
- Analyze any deviations, vulnerabilities, and risks detected in cases where the outsourced personal data processing operations are already in production.
- Propose the audit plan taking into account all these elements.
For clinical research service providers (“CROs”), we can conduct an audit based on the GDPR Code of Conduct of the European CRO Federation (EUCROF), for those who are not yet certified or have not yet adhered to this code of conduct adopted in June 2024 by the European Data Protection Board (EDPB).
Why choose 
?
Our auditors have the expertise required to carry out an audit mission, including in-depth knowledge of the applicable legislation and soft laws, research and healthcare processes and related technologies.
Our auditors are trained and experienced in the ISO 19011:2018 audit methodology.
We can put together an audit team that includes legal expertise as well as expertise in information security management (in accordance with ISO 27001).
Alcoam by Design is a consulting firm dedicated to DPO, audit and data protection consultancy services in the healthcare sector. We have no other interest than delivering these services. Our growth is based exclusively on ‘word of mouth’, which means that we conduct each mission in a professional manner.
Alcoam by Design has established internal rules in the management of its client portfolio and services, to prevent any possibility of conflicts of interest or obligations.
Our other services for the protection of health data
Data Protection Officer DPO
Training in health personal data privacy
Risk management in information security and data privacy
You can put your trust in us to meet your need for compliance in personal data protection and privacy in the health area:
Do you have a specific question related to data protection in the heath area? Ask us your question, and we will be happy to answer it at no cost to you.
Would you like to be put in touch with a member of our customer or partner network, to receive confidential feedback on our services?
Would you like to know more about our company: our working methods, tools and knowledge base, our ability to meet your needs and projects?
All the terms of our discussions are regulated by our personal data protection and privacy policy.
