Data protection in the focus of internal auditing

Data protection as an essential risk area in the audit universe of internal auditing 

According to the new risks, not only the demands on the management increase, but also the demands on the internal audit, because it fulfils an important control and transparency function in the company. Therefore, the topic of data protection should also be on the agenda of the internal audit, flow into the audit universe and be taken into account in audit planning. Here, not only the design of the data protection management system should be examined, but also in particular the concrete implementation of data protection measures in the business processes.

In order to increase the effectiveness and efficiency of audit activities in internal auditing, risk-oriented audit planning in companies is indispensable (cf. DIIR Auditing Standard No.3, Minimum Standard 4; IDW Auditing Standard: Principles of Proper Auditing of Internal Auditing Systems (IDWPS 983), Minimum Standard 4).

Risk-oriented planning, to be carried out at the internal audit department's own discretion, encompasses the entire audit environment of a company, i.e. all business processes, and can be carried out using the following steps (cf. DIIR recommendation "Risk-oriented auditing - Best Practice"):

The first step is to record all audit objects (projects, processes, companies) in the audit universe in order to exclude the existence of audit-free areas. The structuring can refer to organisational units and processes and should be recorded in a risk matrix. Another aspect of the structuring should include data protection risks. Accordingly, new additional audit objects can be identified taking into account the organisational units and processes that are confronted with data protection issues. The identification of audit objects can be based, for example, on the analysis of the processing directory. From this, it can be derived, for example, in which business processes personal data requiring special protection are processed. 

On the basis of defined criteria, risk assessments must be carried out as objectively as possible depending on the object of the audit, for example by determining the extent of the damage. In this context, criteria relevant to data protection, such as the frequency of violations in an organisational unit, complaints, misconduct already uncovered or similar, must now also be taken into account as risk criteria. In addition, the results of the risk analysis within the framework of the data protection management system (up to the data protection impact assessment) can be used as risk criteria in order to identify and evaluate processing operations that are particularly critical for the company and the respective business process. 

The aim of assessing the risks is to prioritise the audit objects in order to be able to plan the audits to be carried out in a risk-oriented manner and taking into account the available resources. In this way, the prioritisation can shift using the assessment criteria relevant to data protection and influence the audit plan of the internal audit.

The result of prioritising the audit objects is the audit plan (for example, on an annual level), which now also takes data protection risks into account. 

Data protection aspects are not only to be considered in the own company. The aspect of commissioned processing should also not be disregarded (Figure 04). Here, an external service provider processes personal data for the company in accordance with instructions. The responsibility for proper data processing remains with the company, which remains primarily responsible for data protection. The external service provider is only active in a supportive capacity during commissioned processing. If data protection violations are committed in the process, they are to be attributed to the commissioning company. This is because the liability of the commissioned processor is limited to breaches of obligations imposed on him specifically in his function as an external service provider. Therefore, the internal audit should also consider possible violations of such service providers when examining data protection issues. Depending on the outcome of the assessment and prioritisation of the risk of processing errors by external processors, internal audit may consider whether to include them in its audit. 

The obligatory processing directory, which shows the data processing of personal data in all business areas and processes of the company, provides a valid basis for considering new data protection-relevant risks in the planning and audit programmes of the internal audit when it is complete.

The processing directory provides Internal Audit with information on which personal data are processed per process (e.g. purchasing, personnel). Based on this information, Internal Audit can expand the planned audit procedures to include data protection aspects or identify new audit areas with high risk potential based on the processing directory.

Since the processing directory also lists, among other things, how the processing of personal data is to take place, Internal Audit can use the directory to easily compare the target and actual situation and the associated data processing steps in the underlying processes.

Furthermore, the internal audit can include data protection aspects that are oriented towards the processing principles of Article 5 of the GDPR. Article 5 lit. e of the GDPR, for example, mentions the principle of storage limitation. According to this, companies are obliged to delete personal data if they are no longer necessary and there are no legal retention obligations. This is because the GDPR provides for clear deletion obligations (including in Article 17 GDPR "right to be forgotten").

The audit action of the internal audit can also consist of reviewing the process-specific deletion concept itself and checking whether it has been applied correctly. Questions that the internal audit will typically deal with are:

• What type of data was processed? Examples of a data type are master data (employees, customers, suppliers), contract data, billing data, accounting data (for example, accounting vouchers, payment runs) etc.
• Where is the personal data located, who has access and to whom is it passed on
• When must data be deleted in accordance with legal requirements?
• What deletion periods are implemented for the individual types of data, taking into account contractual and legal retention periods?

Furthermore, the processing of personal data must be protected by technical and organisational measures (TOM). Article 32 of the GDPR obliges companies to "take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk" (cf. DIIR Working Group Internal Audit & Data Protection, Guideline Internal Audit and Data Protection, published in October 2017 at www.diir.de).

According to Article 5 (2) of the GDPR, companies must be accountable for compliance with the data processing principles. This suggests the introduction of a data protection management system that ensures compliance with the protection goals of the GDPR (for example, Articles 25 and 32). Thus, the internal audit must not only monitor within the scope of process audits whether the requirements of the EU GDPR are implemented, it must also review the data protection management system itself at regular intervals and consider corresponding controls in the audit planning. 

An audit of the data protection management system by the internal audit department should focus on the centrally implemented processes and guidelines. 

When preparing the audit programme, the "Checklist for the Audit of the Data Protection Organisation" published by the DIIR - Deutsches Institut für Interne Revision e. V. (see DIIR Working Group Internal Audit & Data Protection, Checklist for the Audit of the Data Protection Organisation, published in October 2017 at www.diir.de) can be used for orientation. 

The following focal points of the audit are addressed: 

•  Data protection strategy 
• Guidelines and requirements 
• Organisation 
• Communication and processes 
• Reporting 

In addition to the DIIR checklist already mentioned, the audit guidance IDW PH 9.860.1 "Prüfung der Grundsätze, Verfahren und Maßnahmen nach der EU-Datenschutz-Grundverordnung und dem Bundesdatenschutzgesetz" (cf. Fachausschuss für Informationstechnologie (FAIT), Prüfung der Grundsätze, Verfahren und Maßnahmen nach der EU-Datenschutzgrundverordnung und dem Bundesdatenschutzgesetz, adopted on 17 May 2018, approved by the Hauptfachausschuss (HFA) on 19 June 2018, published in IDW-Life -Heft8/2018) can be used as a further basis. The guideline suggests audit procedures for policies, procedures and measures of a company aimed at compliance with the requirements of the GDPR and the BDSG when processing personal data. Figure 06 shows an overview of which audit elements IDW PH 9.860.1 specifically addresses. 

For each of the audit elements, examples are given of audit procedures that can be used to audit a data protection management system. However, it should be noted that these examples only apply in addition to the requirements of IDW PS 980 and IDW PS 860. 

When auditing a data protection management system, the internal audit can be guided by the following exemplary audit questions: 

• Have data protection objectives been defined that are comprehensibly derived from the corporate strategy, take into account special data protection factors resulting from the business model and are documented? 
  
• Is there a data protection organisation that clearly defines roles and responsibilities? 
• Are data protection guidelines and instructions in place that take into account legal and internal company requirements? 
• Is a process implemented on how the register of processing activities is to be created and at what intervals it is to be reviewed? 
• Is there a suitable deletion concept documented in writing and has it been implemented? Is there an overarching policy for the deletion and blocking of personal data? 
• Were the IT department and the specialist departments involved in the creation of the application-related deletion concepts?