Data protection audit: Identifying & closing GDPR gaps with checklist

What exactly is a privacy audit?

A data protection audit is a voluntary analysis and review of the data protection compliance of data processing procedures within a company. It serves to analyse whether individual data processing processes comply with the GDPR, for example when using standardised or individual software (so-called software audit).

For example, contracts, company agreements and internal guidelines are checked for their data protection compliance. In addition to examining the individual processing procedures with regard to their compliance with the GDPR, an audit also serves to examine the corresponding security precautions, such as the level of protection of the technical and organisational measures (TOM) in accordance with Art. 32 GDPR (so-called TOM audit). However, the control mechanisms of the GDPR itself, such as the Data Protection Management System (DPMS) or the Register of Processing Activities (ROPA), are also checked for their effective implementation.

The purpose of a data protection audit is to provide a basis for the development of long-term data (protection) strategies. An audit can be used to set up a completely new data protection management system or to redesign and optimise existing operational processes. Organisations benefit from an audit as it often leads to an internal learning process.

Who conducts a data protection audit?

The Data Protection Officer (DPO) of a company is responsible for ensuring that the legal requirements for data protection are complied with in the company and for monitoring the correct application of data processing programmes. He or she may therefore take the initiative to carry out an 'internal audit'.

Another possibility is an 'external audit'. This has the great advantage that people outside the organisation or company can carry out an audit with a neutral view. It may also be advantageous to conduct an internal audit together with an external consultancy firm to assist the DPO(s).

How does a data protection audit work?

An effective privacy audit consists of four steps:

Step 1: As-is analysis

The risks and weaknesses of the relevant processes in the respective company are recorded as part of the so-called as-is analysis. This involves regularly checking which processes in the company are at particularly high risk of GDPR breaches.

This is done by reviewing the legal aspects (compliance with the GDPR's transparency principle, scope of consent, etc.) and the actual aspects (compliance with technical and organisational measures to ensure a level of protection appropriate to the risk).

To determine the current situation, the first step can be to distribute questionnaires within the company and ask employees to complete them. In a second step, especially in larger companies, it is useful to conduct interviews with those employees who have a good overview of the individual departments. Targeted interviews can be used to find out more about specific issues. The more carefully the company prepares the relevant information (identification of a contact person, list of relevant departments and relevant managers), the more effective the audit will be.

Another audit method that can be used is sampling. This involves examining an undefined selection of processes and documents, such as consent forms.

Step 2: Analysis and assessment

Once the individual data protection-relevant processes have been identified, they are analysed and assessed. The key question is whether there are any risks to the data subjects affected by the processing. If such risks exist, it must be determined whether they are exposed to a high risk as a result of the processing. This is always a case-by-case assessment (Is the data particularly sensitive? Is there evidence of hacking? Can the measures be financed?)

Step 3: Analysis report with catalogue of measures and implementation

Actions are derived from the results of the As-Is Analysis in order to achieve a certain 'Target State' in terms of compliance with data protection requirements. Measures can be taken at a legal level (e.g. amended consent and privacy statements) as well as at a technical and organisational level (e.g. revision of the list of processing activities, the data protection management system).

Specific recommendations for action and prioritisation are made in relation to the catalogue of measures. Once appropriate measures have been identified, they should be implemented.

Step 4: Documentation and feedback loops

The data protection audit and its results are documented in an audit report. In this way, companies can, for example, refute an accusation of negligence in the event of possible GDPR violations and reduce the risk of fines.

In addition, a regular review can help prevent violations (keyword: prevention). With the documentation, companies also fulfil their accountability obligations under the GDPR and increase confidence in the security of data processing.

Which companies need to be audited?

As the GDPR is generally aimed at all companies that process personal data, a data protection audit is generally recommended for all companies - including small and medium-sized enterprises.

A data protection audit is particularly necessary if there are doubts about the need to appoint a data protection officer. The cases where such a need exists are partly the result of a legal assessment (e.g. when is the transfer of personal data part of a company's core activities? When is personal data particularly sensitive?) and should therefore be carefully considered.

In addition, an audit is necessary if there are indications of possible hacking or other doubts about IT security. Another important starting point is the processing of data relating to employees and applicants. The more extensive the human resources (HR) system, the more urgent the need for a data protection audit.

In addition, other specifics of the company need to be taken into account and it needs to be checked whether sufficient measures are in place to protect personal data in the various departments of the company (e.g. IT, marketing and sales in addition to HR).

A data protection audit may also be necessary if there are extensive order processing contracts, i.e. contracts in which other companies are commissioned to process personal data, which always carry the risk that responsibilities are not precisely defined or that the transfer of data violates the provisions of the GDPR. In these specific cases, a comprehensive analysis of the current situation from a GDPR perspective is essential.

What is the scope of a data protection audit?

As described above, the GDPR already provides for audits of data protection requirements in some places. Accordingly, these mechanisms of the data protection management system, such as the proper creation of the list of processing activities and the process related to the processing of data subject requests, need to be examined in particular.

Furthermore, it needs to be checked whether employees have sufficient knowledge and clear guidelines on how to deal with the GDPR's reporting obligations (to supervisory authorities and data subjects) in the event of data breaches.

The effective involvement of the DPO in the organisation should then be reviewed. In particular, it should be ensured that there is a regular exchange between the DPO and employees in order to raise their awareness of the handling of personal data. Training sessions are particularly suitable for this purpose. Care should be taken to ensure that employees are trained not only in the event of data protection incidents, but above all in dealing with the rights of data subjects.

The GDPR requires not only a transparent system for data subjects to exercise their rights, but also a prompt response from companies to data subject requests.

Rely on expertise for data protection audits

The data protection audit provides a regular, expert review of your organisation's compliance with data protection regulations. A data protection audit not only protects you from legal risks, but also builds trust with customers, business partners and employees.

In most cases, an effective data protection audit can be achieved with external help. The ISiCO team of data protection experts is at your side. Arrange a non-binding initial consultation now!