A data protection audit involves reviewing various areas within a company to ensure that all data protection requirements are met and personal data is adequately protected. The areas to be reviewed may vary depending on the company and industry, but typically include the following key aspects:
- Data processing processes: Review of the processes for collecting, storing, using and deleting personal data. This includes checking the legality of data processing in accordance with Article 6 GDPR and compliance with the principles of data processing in accordance with Article 5 GDPR.
- Technical and organizational measures (TOMs): Review of the measures taken to protect personal data, such as encryption, access controls and data backups. These measures must meet the requirements of Article 32 GDPR.
- Processing by third parties: Reviewing data processing agreements with third parties to ensure that they adhere to the same data protection standards as the company itself (Article 28 GDPR).
In addition to these areas, compliance with the rights of the data subjects and the transparency of data processing are also checked. This includes compliance with the information obligations under Articles 13 and 14 GDPR as well as the implementation of the rights to information, rectification, erasure and objection (Articles 15-21 GDPR).
- Rights of data subjects: Reviewing how the company implements the rights of data subjects and ensures that requests are answered in a timely and complete manner.
- Documentation and evidence: Review of documentation, including processing records (Article 30 GDPR), data protection impact assessments (Article 35 GDPR) and evidence of consent given (Article 7 GDPR).
- Training and awareness: Review of measures to train and raise awareness among employees regarding data protection and data security.
