Audits

A data protection audit assists a business in understanding what personal data the organisation collects and processes. It is carried out to ascertain if the organisation is compliant with the data protection laws and it will usually assess the organisation’s procedures, systems, records and activities.

The UK GDPR includes an accountability principle which requires a controller to demonstrate compliance with the data protection principles of the UK GDPR. An audit is one of the ways in which a controller can demonstrate accountability. Although the UK GDPR does not directly apply to processors, both controllers and processors have compliance obligations and an audit is one of the ways which can demonstrate compliance.

This depends on the size and complexity of the organisation. At minimum, a data protection audit should be performed once each year. If there are several areas that need to be improved, you should consider working on those areas more regularly until the organisation is confident that it is compliant with the data protection regulation.

In summary, the data protection audit is likely to cover governance and accountability; security measures in place; whether data is transferred outside the UK and arrangements for such transfers; and whether there are procedures for data subjects’ rights, amongst other areas. The nature of the audit will depend on the specific organisation and method of audit.

If the organisation has a data protection officer (DPO), they will likely oversee the audit. If the organisation has no DPO or Compliance Manager, then the business must select an auditor. The auditor will then decide whether to use a customised questionnaire audit or conduct a personal interview or a blend of both methods.