INTERNAL DATA PROTECTION AUDIT OR REGULATORY CONTROL?

Data protection controls may take two forms. Enterprises can ensure their own compliance by means of regular internal data protection audits or wait until the responsible supervisory authority makes use of the chance to carry out their own inspection of the Controller. The latter alternative appears to be tactically unwise. Therefore, we advise our clients to conduct annual data protection audits. We believe that this is the only way to adequately ensure the compliance with legal requirements.

RECOGNIZING THE PROBLEMS AHEAD OF TIME.

During the on-site inspection the supervisory authority may examine, if your organization has complied with the legal requirements on data protection. If this is not the case, a fine could be imposed on the controller. This risk may be prevented by conducting internal data protection audits.

INFORMING OTHER AUTHORITIES

The supervisory authority could report any determined legal violations to other authorities entitled to prosecute, such as the Trade Supervisory Board. Trade-related measures against the controller could be taken as the result. Regular audits can prevent this.

MUTUAL ASSISTANCE WITHIN THE EU

If a national supervisory authority establishes a data protection offense, it may inform the supervisory authorities of other Member States. This could mean that the branch offices of the controller are subjects to inspection in the other Member States. This could lead to even higher fines. This risk may be reduced by regular data protection audits.

In order to identify potential risks and to ensure legal compliance of the data protection procedures, the German Association for Data Protection recommends conducting regular internal data protection audits.

What happens in the Course of an Internal Data Protection Audit?