About Audit in GDPR Context

A short definition

AUDIT - Professional examination of information in order to express a responsible and independent opinion in relation to a certain standard.

Depending on the standard or domain, other terms are used, such as: Assessment, Examination, Control, Inspection, Verification, Testing ...

So, contrary to the opinions of "experts", the audit is NOT a "checklist" with questions such as "Do you have a ..." that must be checked by those audited.

Little context about audit in relation to GDPR

Audit is an indispensable tool for a DPO to assess the state of compliance of the organization. This is necessary both at the beginning of a compliance process, periodically to evaluate the compliance status but it is also as a tool for testing the effectiveness of the implemented measures, a mandatory activity according GDPR, without which the measures taken are almost useless.

Depending on the purpose, object and standard of reference of the audit, there are several methods of performing this activity. Personal data protection is a multidisciplinary domain, with many applicable national standards, methodologies or laws, outside GDPR (COSO / COBIT, ISO 9001, ISO 27001, ISO 31000, CMMI, 3LoD, GRC, PMP…) and the methods, techniques and means of audit are diverse.

Also, it is generally not efficient for a single function to audit all domains and processes. For this, the existing control functions, where they exist and / or the periodic reports to the management, should also be used.

Auditing methods or techniques

Main audit techniques are: By direct observation, By interviews with the responsible/ involved persons, By sociological analysis of the users opinion, By the analysis of documentation or deliverables or By the direct monitoring of the performances of a process.

The degree of accuracy of the assessment depends on the technique used in the audit and the auditor's experience in the audited field, the technologies used in data processing. In practice these are rarely used independently, usually several different techniques are used within the same audit, in order to increase the degree of confidence in the audit results.

From the point of view of the techniques used, direct observation and interviews are the most dependent on the auditor's experience, the analysis of documents and deliverables being techniques with a higher degree of confidence, but dependent on the choice / sampling of the cases to be analyzed, these techniques usually cannot cover all cases.

Direct monitoring of the performances of a process, requires the prior implementation of measuring mechanisms, as automated as possible, defining the objectives and the performance indicators appropriate to measure the effectiveness and / or efficiency of the monitored processes. Also, the visibility of the results is very important, by reporting them in real time to the decision makers.

These are always followed by an analysis of the information collected, resulting in an opinion on the degree of compliance with the reference standards, and in case of deviations from them, recommendations will be formulated in order to comply.

Selecting the most appropriate audit techniques

Depending on the complexity of the organization, the processes and systems used, as well as the knowledge and resources required, the best possible choice is chosen. It is important that each area, process is audited, one way or another, periodically.

Obviously on the prioritization is important, the areas with high risk, as probability of being affected or as impact, being the ones to which more attention should be allocated.

Initial conditions and organizational culture

• Existence of documentation of the structure of the organization, of the responsibilities of the departments
• Existence of the documentation of the processing, the means of processing and the processed data
• Existence of documentation of the relevant existing controls for the GDPR
• Documentation and communication of the benchmarks to be used in the audit
• Defining how to collaborate with other functions involved in control and monitoring activities

Selection criteria

• Importance of the audited process (and its risk)
• Purpose of the audit
• Scope and reference standard
• Organizational culture
• Existing (human and technological) resources
• The auditor's experience in the analyzed area
• Existence of specialized monitoring or audits

Steps to follow during an audit

1. Establishing the purpose, the coverage area (departments, processes, controls ...)

2. Establishing reference standards and conformity assessment criteria

3. Selection of audit techniques for each control

4. Planning the audit

5. Collection of information

6. Analyze information and form a professional opinion, followed by recommendations where appropriate

7. Validation of professional opinion with those involved

8. Audit report

9. Monitoring the application of recommendations

Best practices (from personal experience)

The main purpose of an audit I consider to be to make sure there is a process followed by the team, which means a set of general rules followed by everyone involved in the process. The fact that processing is done differently by each performer or group of performers, depending on personal experience, denotes the lack of a process.

The purpose of an audit should be not only to evaluate the documentation of a process, but in particular the effective application of the audited process. The way the documentation is respected or the way the activity is documented are only secondary criteria. Too often the actual processing process is different from the formal (official) one.

Keep in mind that an audit is usually an incremental process. Depending on the results obtained in the first planned round it is possible to identify new audit needs, perhaps with new techniques, new means and new objectives.

Inconsistencies between the formal process and the factual processing or between the results obtained in interviews and the records, records or monitoring, the reports on these processes are an alarm signal and an indicator that the audit must be deepened.

Another issue to consider is the handling of exceptions. In any defined process there are exceptions that cannot be documented (or are not worth the effort) but the way of treating them must be defined (usually these being the duties of the chief). It is worth analyzing the frequency of these exceptions, so that they do not become rules.

An important criterion in the audit, especially for the GDPR, is the existence of records. The lack of records (records of actions taken) makes it impossible to objectively evaluate the processes and to demonstrate them, a mandatory requirement according to the GDPR. The most common cause is the failure to record the events when they took place, with the intention of documenting later ... if it is considered necessary ... and if there is time.

In order to increase the efficiency and the degree of confidence, it is necessary to analyze previously the existing monitoring, the results of other forms of audit. For specialized areas within an organization (eg IT / security) it is a common practice and recommended to use the results of specialized audits, which can be added only the analysis of specific requirements (GDPR) that are not addressed by the specialized audit. Also carrying out audits along with other functions involved in process monitoring brings a very high added value.

If you have come this far, I can only thank you for your interest and patience.

If you have any comments, including criticism, suggestions or any comments, feel free to let me know :)