Assuring Compliance

As new policies and procedures become more mature, internal audit will need to perform regular compliance audits to
determine the extent to which the organization is complying with GDPR. Auditors should focus on how the organization
manages data to help strengthen privacy and security controls and ensure they are designed appropriately and operating
effectively. Auditors will need to assure compliance with key aspects of the regulation and provide early warnings about
problems.
Choice and Consent Under GDPR, organizations must allow users to choose how their personal data is used. Also,
organizations must document and maintain consents and request parental authorization before collecting a child’s data.
Legitimate Purpose To ensure data collection is lawful and necessary, organizations can collect only personal data that is
needed to achieve the intended purpose. Reviewing and handling requests for further processing, restricting requests for data
related to criminal convictions, and documenting situations where the right to object does not apply are all important. Internal
auditors can help reduce risk by sampling data collection mechanisms for compliance.
Limitations Organizations may keep data no longer than the period required to support the purposes for which it was collected,
and they must erase an individual’s personal data upon his or her request. GDPR permits organizations to retain data meant for
archiving purposes in the public interest or for reasons of scientific or historical research.
Free Flow of Information and Legitimate Restriction This principle includes protections for data transfers using legally
binding agreements between public authorities, binding corporate rules, model clauses, and other mechanisms.
Third-party Vendor Management This principle ensures that organizations gather third-party/vendor guarantees of GDPR
compliance along with proof that third parties have the required technical and organizational safeguards. The DPOs of the data
controller — organizations or individuals that determine the purposes and means of processing data — must provide written
authorizations to use a given processor.
Accountability GDPR’s accountability principle provides a legal basis for processing personal data, establishes the DPO role,
and informs citizens and residents of existing privacy rights and safeguards. In addition to overseeing the data protection
strategy, the DPO must maintain contact with the supervisory authority and demonstrate compliance.
Internal auditors will need to periodically assess processes and controls for each of these principles to ensure they are
designed and operating effectively. Auditors can review a sample of data transfer documentation to look for data that should not
be transferred to another organization. They can run reports to look for data that is being kept longer than necessary and
review available documentation for any exceptions.