Because only those who actively deal with the situation and look behind the scenes can achieve improvements.


A regular data protection audit makes sense for the person responsible because it represents a suitable control measure by means of which compliance with legal regulations is determined and documented.

All employees who have or may have access to personal data should receive at least annual data protection training. New employees should be obliged to keep secrets as soon as they join the company. Departing employees are obliged to hand over all equipment and documents containing personal data to another person who is obliged to maintain data secrecy.

In order to support the data protection officer of a company and to independently document the implementation of the legal regulations, the German Society for Data Protection recommends internal data protection audits.


In a data protection audit, it is checked which employees of the person responsible come into contact with personal data, in what form this happens and how the processing of personal data is structured. Compliance with legal regulations is considered. However, an audit usually includes additional work steps.

1. Identification

Information collection and analysis of the data processing process

2. Classification

Data differentiation according to legally protected and other data

3. Review & Recommendation

For better protection of personal data

1. Identification

The first step of a data protection audit is to identify the types of data held by the person responsible. In corporations or groups of companies, however, it is first necessary to identify the person responsible.

The data protection auditors of the German Society for Data Protection examine the procedures and document the company-related processes. The data processing systems used in the company are checked and stored in the audit documentation. A detailed analysis of the data processing is carried out by questioning the employees and, if necessary, the members of the employee representatives. The knowledge gained is documented.

An anonymous company-wide survey may give our data protection auditors an even clearer picture of the data use and storage processes of the person responsible. Employees are also asked whether they understand and comply with the data protection guidelines.

2. Classification

Subsequent data classification then allows the responsible body to use resources efficiently and to place data that is particularly sensitive to confidentiality under special protection.
The following data classification allows the person responsible, among other things, to use resources more efficiently and to particularly secure data that requires confidentiality. It is also possible to distinguish between legally protected (personal) data and other data. By categorizing the data, IT departments are able to better protect the data being processed. You can use human and financial resources more precisely. Unused data can be identified and deleted for reasons of cost optimization and because of the principle of data economy. In our audit report, our auditors also consider whether existing data protection guidelines for the classification of data are observed by the controller’s employees.

3. Review & Recommendation

The auditors of the Deutsche Gesellschaft für Datenschutz check whether the data protection guidelines and procedures are appropriate and proportionate and whether they have been correctly implemented by the person responsible.

The data protection basic structure of the person responsible is finally documented after a complete check. Recommendations for the protection of personal data are given below if the auditors deem this necessary.

The German Society for Data Protection checks, for example, the following facts as part of a data protection audit:


How are individuals who are permitted to request data identified?


Are there systems that prevent unauthorized access to data?


Is there a system that monitors access to data?


How is the privacy policy communicated?

An extensive examination will bring light into the darkness.