What is an audit?

Audits vs. assessments

In a strict sense, the term 'audit' can be defined as an official inspection of an organisation's records, typically by an independent certified body, to see how well that organisation is meeting external standards. In other words, a benchmarking exercise to see how well the organisation is doing in terms of compliance. Audits are usually conducted externally, but this is not a pre-requisite.

An audit, in the strict sense of the word, needs to be distinguished from an assessment, which usually takes place merely internally and serves the purpose of identifying current reality within an organisation for the benefit of improvement. However, assessments can also be conducted by an external party.

Ideally, an audit is always preceded by an assessment. An audit often, although not always, carries a risk of sanctions or other negative consequences, whereas an assessment serves the purpose to ensure it never comes to that by defining corrective actions that need to be taken to come to better compliance. Issues discovered during an assessment exercise can still be remedied.

Following the abovementioned reasoning, the only data protection audits that really deserve to be defined as audits in the strict sense of the word are those audits mentioned in Article 58(1)(b) of the GDPR. For the purposes of convenience and in order to avoid confusion with the wording used in the GDPR, we will in this article use the term 'audit' in a broad sense of the word, encompassing both audits in the strict sense and assessments, unless stated otherwise.

First, second, and third-party audits

First-party audits are audits conducted within an organisation internally, or by a consultant specifically hired by the organisation to conduct such an audit. Many organisations have, for example, conducted a first-party assessment of their GDPR compliance when the GDPR entered into force to identify the action points that needed to be tackled in order to correctly implement the GDPR within their organisation.

Second-party audits are audits that are performed by a supplier, customer, or contractor, either before or in the framework of their contractual relationship with the party that is being audited. They are often conducted to check compliance with contractual obligations imposed on organisations by said supplier, customer, or contractor, or to limit liability of the supplier, customer, or contractor for wrongdoing by the contracting party. In the framework of the GDPR, audits conducted by a data controller to check GDPR compliance by their prospective data processors are often second-party audits.

Third-party audits are audits that are performed by independent third parties, usually against a recognised standard. Data protection audits that are conducted by supervisory authorities are third-party audits.

For the purposes of this article, we will mainly be talking about first-party audits.

The importance of audits

The importance of audits in the framework of data protection should not be underestimated.

First of all, a data protection audit can help your organisation to achieve better GDPR compliance. You can only improve your organisation's data protection level if you know exactly what your organisation is doing with the data it collects and processes. Conducting an audit can be useful to map data protection activities and data flows.

Second, after implementation of the GDPR, a data protection audit can give you reassurance that the policies and procedures that have been put in place are properly implemented throughout your organisation. Setting up policies and procedures is useless if they are not followed by the people within the organisation. The fact that people know that regular audits will be performed may also work as an incentive for proper implementation of the data protection policies and procedures. In addition, an audit can help an organisation identify which points of a written policy or procedure are not workable in practice and need to be changed.

Third, data quality can significantly improve upon conducting regular audits of processing activities. Having a dataset that is accurate, up-to-date, and complete may be a valuable asset for a lot of companies. Being able to identify excess data and clean up databases will help improve compliance with data processing principles such as data minimisation and accuracy, but may also lead to a lean dataset that can be used more efficiently.

Last but not least, conducting regular audits can help organisations in identifying potential risks or data breaches early. Taking into account that data breaches are best avoided, or at least discovered as early as possible, periodic auditing can be a valuable tool in this respect. Moreover, the fact that organisations have performed an audit may also allow them to provide more complete information to the supervisory authority in the form of a data breach notification, which in turn could be a mitigating circumstance for the calculation of a fine (Articles 83(2)(f) and 83(2)(h) of the GDPR).

How to conduct an audit

How a data protection audit is best conducted depends on the type of audit that is being performed, as well as on the standard against which behaviour is audited. In general, however, the same steps are followed in each type of audit.

Define the scope of your audit and the rules and standards you will be auditing against

The first thing you will need to do is define the scope of your audit or assessment. What is it that you would like to find out about the data processing activities in your organisation? Do you merely want to benchmark or are you actually looking for potential areas of improvement? What are the rules or standards you are auditing against?

When doing an internal GDPR compliance audit, the scope of the audit will usually be to determine how the organisation already complies with one or more data protection principles contained in the GDPR.

Gather information by conducting audit interviews

The most crucial part of any audit is the gathering of information, so take your time to duly perform this exercise. What tends to work well in practice is to conduct face-to-face interviews with all people that are involved in a certain processing activity. In general, people disclose more information in an oral conversation than they do in writing.

Carefully plan the interviews so as to ensure you have sufficient time to conduct each interview properly, without needing to rush. A lot of information can often be gathered simply by letting somebody speak about their daily processing activities.

Which people need to be interviewed depends on the structure of the organisation. Do not limit yourself to only speaking to the management, but try to speak to the people who are involved in the processing of personal data on a daily basis. In general, most data protection audits require people from the following departments to be interviewed as they usually process a significant amount or personal data or are otherwise involved in the data processing activities of an organisation: HR, marketing, finance, sales, supply chain, legal, and IT. In case you are conducting an audit of an organisation whose business is built around data processing, you will of course also need to interview people involved in the core business of the organisation.

To allow people to prepare for the audit interviews, it is a good idea to circulate a high-level list in advance with specific reference to all documents you would like to see (e.g. "Please bring a copy of your data retention policy"). Such a question list can later function as memory aid when conducting the interviews themselves.

A good practice is to cross-check information with other interviewees, which means that you may need to speak to some people twice. Another good practice is to ask for written evidence of certain statements (e.g. a screenshot of a certain application used to process personal data).

Analyse the information against the defined rules and standards

The next step involves the processing of the information you have gathered and checking whether shortcomings can be identified as to compliance with the rules and standards you are auditing against.

In case you are performing an assessment, rather than an audit in the strict sense of the word, this step should also involve formulating recommendations to remedy the shortcomings you have identified. For example, if you identified that the organisation does not yet have a privacy policy, the recommendation could read that a privacy policy must be drafted and duly published. To ensure recommendations do not remain unread or unactioned, it can be useful to categorise them according to priority, to indicate a specific deadline by when they should be implemented, and/or to assign the implementation of the recommendation to a named individual.

In most cases, the underlying facts, identified shortcomings, and suggested recommendations will be bundled in an audit report. Such an audit report should form part of the internal privacy documentation of the organisation as it can be a crucial document to present to the supervisory authorities in case of an investigation into the data processing activities of the organisation.

This could also be a good time to inform the management of your findings. Management support is often crucial if you want to successfully implement changes which might sometimes be perceived as drastic or time or money consuming.

Implement the recommendations you formulated to overcome shortcomings

Especially in an assessment situation, the goal of the assessment is to improve the audited situation. It is therefore important that any recommendations that would be formulated in the framework of an assessment are indeed duly implemented in a timely manner. As stated above, management support could help in speeding up such implementation.

Often the implementation phase also implies the drafting of privacy related policies and procedures or other privacy related documentation. Such documentation should of course be included in the organisation's internal privacy documentation. Where relevant or required, such documentation should also be duly communicated to the data subjects through, for example, a privacy notice.

Follow-up on implementation and repeat audit periodically

The task of following up on implementation of audit recommendations is usually a task that is assigned to the DPO. Project management software could be a very useful tool to help the DPO with this task, particularly in larger organisations.

As legislation and case law are rapidly evolving in the field of data protection, it is also advisable to repeat the audit process periodically. Conducting a data protection audit once a year is considered to be good practice, but for some organisations that do not have data processing activities as their core business, even this could be too frequent. In case the last audit revealed significant issues, it may nevertheless be wise to repeat the audit process more frequently. An alternative could be to conduct annual audits into specific aspects of the data processing activities (e.g. general data protection audit in year N, audit on IT security in year N+1, audit on data subject rights in year N+2, general data protection audit in year N+3, and so on).

Conclusion

It is clear that data protection audits in general will become ever more frequent. In order to prepare for second and third-party audits, and to ensure general GDPR compliance in your organisation, organising periodic internal data protection audits is a good aid. Such audits can uncover the weak spots of you organisation's GDPR compliance and can ensure that future audits run much smoother.

Take your time to conduct an audit and seek help where necessary. For example, should information gathering prove to be problematic within your organisation, for example because of its size, there are a lot of privacy tools on the market that can help your organisation in centralising the internal privacy documentation.

Jenna Auwerx Lawyer
[email protected]
Monard Law, Brussels