A regular data protection audit makes sense for the person responsible because it represents a suitable control measure by means of which compliance with legal regulations is determined and documented.
All employees who have or may have access to personal data should receive at least annual data protection training. New employees should be obliged to keep secrets as soon as they join the company. Departing employees are obliged to hand over all equipment and documents containing personal data to another person who is obliged to maintain data secrecy.
In order to support the data protection officer of a company and to independently document the implementation of the legal regulations, the German Society for Data Protection recommends internal data protection audits.
The first step of a data protection audit is to identify the types of data held by the person responsible. In corporations or groups of companies, however, it is first necessary to identify the person responsible.
The data protection auditors of the German Society for Data Protection examine the procedures and document the company-related processes. The data processing systems used in the company are checked and stored in the audit documentation. A detailed analysis of the data processing is carried out by questioning the employees and, if necessary, the members of the employee representatives. The knowledge gained is documented.
An anonymous company-wide survey may give our data protection auditors an even clearer picture of the data use and storage processes of the person responsible. Employees are also asked whether they understand and comply with the data protection guidelines.
The auditors of the Deutsche Gesellschaft für Datenschutz check whether the data protection guidelines and procedures are appropriate and proportionate and whether they have been correctly implemented by the person responsible.
The data protection basic structure of the person responsible is finally documented after a complete check. Recommendations for the protection of personal data are given below if the auditors deem this necessary.