What is a Data Privacy Audit and Why Do You Need It?

1. Your certificate in terms of data protection
2. What is a data protection audit?
3. That's why a data protection audit makes sense
4. How does a data protection audit work?
5. What costs can arise during a data protection audit?
6. These tools support you in conducting a data protection audit

You are responsible for data protection in your company and are supposed to conduct a data protection audit? Here you will learn why this is useful and how such an audit is carried out.

Your certificate in terms of data protection

The General Data Protection Regulation and the Federal Data Protection Act oblige companies to process and protect personal data appropriately. Therefore, regular checks and reviews of the processes in your company that ensure correct processing are necessary. In a data protection audit, you take a close look at these processes and identify - if necessary - potential for improvement. In this article you will learn what a data protection audit is and why it is useful to conduct audits regularly. In addition, you will read about how a data protection audit is carried out and what it costs. Last but not least, we present different tools that can support you in conducting a data protection audit.

What is a data protection audit?

A data protection audit is the voluntary review of your company's data protection compliance. The right to carry one out is included in §9a of the Federal Data Protection Act. It records the current state of data collection, storage, and transfer of personal data. This is to ensure that your data processing processes are in accordance with the GDPR . The General Data Protection Regulation prescribes the introduction of a data protection management system. This implies that your data processing must be rule-compliant and systematically verifiable. The audit can be used to create a new data protection management system as well as to optimize and redesign existing processes. You can therefore understand a data protection audit as an internal learning process. 

If your company has a data protection officer, this person is responsible for compliance with the legal requirements for data protection. This person also has the right to initiate an internal audit. But there is also the possibility to conduct an external data protection audit. Cooperation with independent, certified experts can support the internal work of data protection officers and bring a fresh perspective into your organization.

To check, the data protection concept of your company, document checks, and employee talks can be used. After the audit, your company can publish the test results to demonstrate that it meets the requirements for data protection.

That's why a data protection audit makes sense

Generally, the voluntary review of data protection compliance is useful for every company. After all, it provides an inventory and gives you specific recommendations for improving data protection at your employer. Even if you already have a data protection concept, it is important to regularly check its compliance. After all, over time it can happen that “annoying” regulations are not taken so strictly, as they make daily work more difficult. However, since the protection of personal data should be a top priority for your company, you must ensure that the regulations of the GDPR and your data protection concept are complied with. If you have your personal data processed by a partner company, you should also regularly put them under scrutiny. Through the audit report, your business partners can prove that they comply with the regulations to which they have committed in your contract.

A data protection audit can also be useful in the following cases:

• Your company does not have a data protection officer.

• The sales and marketing departments are not familiar with the GDPR regulations.

• You have doubts as to whether your IT systems are adequately protected, for example by firewalls and encryption.

• Not all IT systems have been fully audited and documented.

• You have concluded extensive contract processing contracts with external companies.

• It should be ensured that your company only collects data from employees, customers, and partners that it is authorized to collect.

• Your email marketing does not solicit consents via double opt-in.

How does a data protection audit work?

You should prepare a data protection audit with enough lead time to ensure a smooth process during the review. This includes that all employees of the company are informed about the upcoming audit. This is important because, in addition to the core processes, secondary processes are also checked. This includes processes in purchasing, human resources, sales, and IT, since personal data is also collected there. Each department should designate fixed employees as contact persons for queries. Then you can start timing your data protection audit. To realistically assess the time required, you can conduct a so-called pre-audit. During its execution, you can orientate on an exemplary questionnaire for a data protection audit and draw conclusions from the results on the time needed during the proper audit. If you should notice deficiencies already in the pre-audit, you have until the audit time to eliminate them.

On the day of the exam, the auditors work through a premade questionnaire in which they focus on four areas. These are general data protection (e.g. obligation for information and data collection) and subsequent data processing (e.g. programs used and access rights to collected data). Also, the handover of collected data to internal and external parties (such as contract processors, tax advisors, group companies), and the security of information (e.g. through technical precautions) are relevant for the audit. The following points could be asked by the auditors of the data protection audit at your place:

• Is there a data protection officer?

• Are the employees obliged to data secrecy according to §5 BDSG?

• Are there data protection training sessions?

• Has a data protection concept been developed?

• Is access to the company restricted?

• Are the computer rooms accessible only to authorized employees?

• Are the servers securely positioned?

• Is access to rooms where data is stored restricted?

• Have screen locks been installed?

• Is there a firewall, is it activated and up to date?

• Has software been installed to protect against malicious software, is it activated and updated?

• Is there user identification/authentication?

• Are the passwords used safe?

• Is there a concept for access permissions?

• Are violations of the calculations of access logged?

• Are data carriers safely disposed of?

• Is a data encryption system set up and active?

• Is regular maintenance and testing of data processing systems carried out?

• Is outdated equipment disposed of?

• Is there a restriction on the use of private devices?

• Are collections, changes, and deletions documented?

• Is there a conflict management system in case of violations or suspected violations?

• Are there mechanisms for self-control on the part of the contractors?

• Are the data protected against accidental deletion or destruction?

• Are there backup copies?

• Are jointly collected data processed separately from each other?

Honesty and precision are particularly important when answering the questions. You must make clear which measures your company takes to meet the legal guidelines. 

As soon as the auditors have handed in their report, you can derive suitable measures from the results to achieve the target state. The more precisely these are formulated, the better they are usable later on. For the remediation of any weaknesses, the auditor gives a priority, which you should definitely consider. Once you have taken appropriate measures, these should be implemented permanently so as not to be pointed out again at a new audit. After each audit, you should revise your privacy policy. Once this has been checked by external, independent auditors, they issue a certificate upon positive assessment. Now you can publish your new privacy policy. Before you are allowed to advertise with the quality seal, you must have your data protection audit registered in a central directory.

What costs can arise during a data protection audit?

The costs of a data protection audit depend on whether you want it to be conducted by your data protection officer, i.e. internally, or externally. For an internal data protection audit, you must set the hourly wage of your employees who carry out the audit and are involved in data and information provision. The costs for an external audit depend, among other things, on the size of your company. For small and medium-sized companies, the costs can be between 1000 and 3000 euros. Therefore, only a fraction of the sum of a violation of the GDPR. For larger companies with more employees, the costs for externally conducted audits can correspondingly be higher.

These tools support you in conducting a data protection audit

Your data protection audit is a sensible step to maintain the data protection regulations of the GDPR. As the measures for carrying out the audit and the resulting measures can be very extensive, it is useful if you get technical support in the form of a data protection management software. You can use it to identify and remove malicious software, encrypt and track data, and restrict access to a network from outside. The following tools will support you in complying with the General Data Protection Regulation guidelines: 

• heyData
• Legally ok
• NoSpamProxy
• PrivacyBee
• SAI360
• consentmanager
• DSM-Online
• Collibra

Based on extensive user feedback on OMR Reviews, you can identify the data protection management tool that fits ideally to your company.

Your testing stand for more safety

With the help of a data protection audit, you illuminate the data protection processes within your company. It helps you to record the current state, which you can match with the target idea. Based on the results obtained, you work out concrete measures with which you can ensure long-term and optimal security of the data collected and processed in your company. Moreover, transparently communicated audit results strengthen the binding and trust of your customers in your company. Thus, a regular data protection audit becomes a small task for your data protection officer, but a great added value for your company.