EU_ Implementation series part 8 - Data protection audits _ Insights _ DataGuidance

14/04/2022, 18:34 EU: Implementation series part 8 - Data protection audits | Insights | DataGuidance

Apr 2022

EU: Implementation series part 8 - Data protection

audits

Data protection audits come in various forms. The General Data Protection Regulation

(Regulation (EU) 2016/679) ('GDPR') itself, for example, explicitly mentions:

audits by data controllers examining compliance by their appointed data

processors;

internal audits to be conducted by the data protection officer ('DPO'); and

data protection audits conducted by the supervisory authorities.

Following the judgment of the Court of Justice of the European Union in Schrems II,

international data transfer audits can be added to that list. Most commonly, however, data

protection audits refer to internal audits conducted by an organisation's DPO to determine the

organisation's level of compliance with one or more specific data protection rules (i.e. the audit

mentioned under the second point above).

Jenna Auwerx, Lawyer at Monard Law, provides insight on data protection audits, why they are

important, and what points to take into consideration when performing the same.

https://www.dataguidance.com/opinion/eu-implementation-series-part-8-data-protection 1/6


querbeet / Signature collection / istockphoto.com

What is an audit?

Audits vs. assessments

In a strict sense, the term 'audit' can be defined as an official inspection of an organisation's records, typically

by an independent certified body, to see how well that organisation is meeting external standards. In other

words, a benchmarking exercise to see how well the organisation is doing in terms of compliance. Audits

are usually conducted externally, but this is not a pre-requisite.

An audit, in the strict sense of the word, needs to be distinguished from an assessment, which usually takes

place merely internally and serves the purpose of identifying current reality within an organisation for the

benefit of improvement. However, assessments can also be conducted by an external party.

Ideally, an audit is always preceded by an assessment. An audit often, although not always, carries a risk of

sanctions or other negative consequences, whereas an assessment serves the purpose to ensure it never

comes to that by defining corrective actions that need to be taken to come to better compliance. Issues discovered

during an assessment exercise can still be remedied.

Following the abovementioned reasoning, the only data protection audits that really deserve to be defined

as audits in the strict sense of the word are those audits mentioned in Article 58(1)(b) of the GDPR. For the

purposes of convenience and in order to avoid confusion with the wording used in the GDPR, we will in this

article use the term 'audit' in a broad sense of the word, encompassing both audits in the strict sense and

assessments, unless stated otherwise.

First, second, and third-party audits

First-party audits are audits conducted within an organisation internally, or by a consultant specifically hired

by the organisation to conduct such an audit. Many organisations have, for example, conducted a first-party

assessment of their GDPR compliance when the GDPR entered into force to identify the action points that

needed to be tackled in order to correctly implement the GDPR within their organisation.



Second-party audits are audits that are performed by a supplier, customer, or contractor, either before or in

the framework of their contractual relationship with the party that is being audited. They are often conducted

to check compliance with contractual obligations imposed on organisations by said supplier, customer, or

contractor, or to limit liability of the supplier, customer, or contractor for wrongdoing by the contracting party.

In the framework of the GDPR, audits conducted by a data controller to check GDPR compliance by their

prospective data processors are often second-party audits.

Third-party audits are audits that are performed by independent third parties, usually against a recognised

standard. Data protection audits that are conducted by supervisory authorities are third-party audits.

For the purposes of this article, we will mainly be talking about first-party audits.

The importance of audits

The importance of audits in the framework of data protection should not be underestimated.

First of all, a data protection audit can help your organisation to achieve better GDPR compliance. You can

only improve your organisation's data protection level if you know exactly what your organisation is doing

with the data it collects and processes. Conducting an audit can be useful to map data protection activities

and data flows.

Second, after implementation of the GDPR, a data protection audit can give you reassurance that the policies

and procedures that have been put in place are properly implemented throughout your organisation.

Setting up policies and procedures is useless if they are not followed by the people within the organisation.

The fact that people know that regular audits will be performed may also work as an incentive for proper implementation

of the data protection policies and procedures. In addition, an audit can help an organisation

identify which points of a written policy or procedure are not workable in practice and need to be changed.

Third, data quality can significantly improve upon conducting regular audits of processing activities. Having a

dataset that is accurate, up-to-date, and complete may be a valuable asset for a lot of companies. Being able

to identify excess data and clean up databases will help improve compliance with data processing principles

such as data minimisation and accuracy, but may also lead to a lean dataset that can be used more

efficiently.

Last but not least, conducting regular audits can help organisations in identifying potential risks or data

breaches early. Taking into account that data breaches are best avoided, or at least discovered as early as

possible, periodic auditing can be a valuable tool in this respect. Moreover, the fact that organisations have

performed an audit may also allow them to provide more complete information to the supervisory authority

in the form of a data breach notification, which in turn could be a mitigating circumstance for the calculation

of a fine (Articles 83(2)(f) and 83(2)(h) of the GDPR).



How to conduct an audit

How a data protection audit is best conducted depends on the type of audit that is being performed, as well

as on the standard against which behaviour is audited. In general, however, the same steps are followed in

each type of audit.

Define the scope of your audit and the rules and standards you will be auditing against

The first thing you will need to do is define the scope of your audit or assessment. What is it that you would

like to find out about the data processing activities in your organisation? Do you merely want to benchmark

or are you actually looking for potential areas of improvement? What are the rules or standards you are auditing

against?

When doing an internal GDPR compliance audit, the scope of the audit will usually be to determine how the

organisation already complies with one or more data protection principles contained in the GDPR.

Gather information by conducting audit interviews

The most crucial part of any audit is the gathering of information, so take your time to duly perform this exercise.

What tends to work well in practice is to conduct face-to-face interviews with all people that are involved

in a certain processing activity. In general, people disclose more information in an oral conversation

than they do in writing.

Carefully plan the interviews so as to ensure you have sufficient time to conduct each interview properly,

without needing to rush. A lot of information can often be gathered simply by letting somebody speak about

their daily processing activities.

Which people need to be interviewed depends on the structure of the organisation. Do not limit yourself to

only speaking to the management, but try to speak to the people who are involved in the processing of personal

data on a daily basis. In general, most data protection audits require people from the following departments

to be interviewed as they usually process a significant amount or personal data or are otherwise involved

in the data processing activities of an organisation: HR, marketing, finance, sales, supply chain, legal,

and IT. In case you are conducting an audit of an organisation whose business is built around data processing,

you will of course also need to interview people involved in the core business of the organisation.

To allow people to prepare for the audit interviews, it is a good idea to circulate a high-level list in advance

with specific reference to all documents you would like to see (e.g. "Please bring a copy of your data retention

policy"). Such a question list can later function as memory aid when conducting the interviews

themselves.



A good practice is to cross-check information with other interviewees, which means that you may need to

speak to some people twice. Another good practice is to ask for written evidence of certain statements (e.g.

a screenshot of a certain application used to process personal data).

Analyse the information against the defined rules and standards

The next step involves the processing of the information you have gathered and checking whether shortcomings

can be identified as to compliance with the rules and standards you are auditing against.

In case you are performing an assessment, rather than an audit in the strict sense of the word, this step

should also involve formulating recommendations to remedy the shortcomings you have identified. For example,

if you identified that the organisation does not yet have a privacy policy, the recommendation could

read that a privacy policy must be drafted and duly published. To ensure recommendations do not remain

unread or unactioned, it can be useful to categorise them according to priority, to indicate a specific deadline

by when they should be implemented, and/or to assign the implementation of the recommendation to a

named individual.

In most cases, the underlying facts, identified shortcomings, and suggested recommendations will be bundled

in an audit report. Such an audit report should form part of the internal privacy documentation of the

organisation as it can be a crucial document to present to the supervisory authorities in case of an investigation

into the data processing activities of the organisation.

This could also be a good time to inform the management of your findings. Management support is often

crucial if you want to successfully implement changes which might sometimes be perceived as drastic or

time or money consuming.

Implement the recommendations you formulated to overcome shortcomings

Especially in an assessment situation, the goal of the assessment is to improve the audited situation. It is

therefore important that any recommendations that would be formulated in the framework of an assessment

are indeed duly implemented in a timely manner. As stated above, management support could help in

speeding up such implementation.

Often the implementation phase also implies the drafting of privacy related policies and procedures or other

privacy related documentation. Such documentation should of course be included in the organisation's internal

privacy documentation. Where relevant or required, such documentation should also be duly communicated

to the data subjects through, for example, a privacy notice.



Follow-up on implementation and repeat audit periodically

The task of following up on implementation of audit recommendations is usually a task that is assigned to

the DPO. Project management software could be a very useful tool to help the DPO with this task, particularly

in larger organisations.

As legislation and case law are rapidly evolving in the field of data protection, it is also advisable to repeat

the audit process periodically. Conducting a data protection audit once a year is considered to be good practice,

but for some organisations that do not have data processing activities as their core business, even this

could be too frequent. In case the last audit revealed significant issues, it may nevertheless be wise to repeat

the audit process more frequently. An alternative could be to conduct annual audits into specific aspects of

the data processing activities (e.g. general data protection audit in year N, audit on IT security in year N+1,

audit on data subject rights in year N+2, general data protection audit in year N+3, and so on).

Conclusion

It is clear that data protection audits in general will become ever more frequent. In order to prepare for second

and third-party audits, and to ensure general GDPR compliance in your organisation, organising periodic

internal data protection audits is a good aid. Such audits can uncover the weak spots of you organisation's

GDPR compliance and can ensure that future audits run much smoother.

Take your time to conduct an audit and seek help where necessary. For example, should information gathering

prove to be problematic within your organisation, for example because of its size, there are a lot of privacy

tools on the market that can help your organisation in centralising the internal privacy documentation.

Jenna Auwerx Lawyer

jenna.auwerx@monardlaw.be

Monard Law, Brussels


EU_ Implementation series part 8 - Data protection audits _ Insights _ DataGuidance

Transform your PDFs into Flipbooks and boost your revenue!

Delete template?

Save as template ?