Data Protection Audit: From the Call for an Audit to Verifiable Evidence in 2 Business Days

A data protection audit examines whether an organisation operationally fulfils the accountability obligation under Art. 5(2) GDPR. Examined are the technical and organisational measures under Art. 32 GDPR, the record of processing under Art. 30 GDPR, the notification path for data breaches under Art. 33 GDPR, and the effectiveness of the internal accountability structure under Art. 24 GDPR. Supervisory authorities, parent companies and B2B customers use audits as a filter before contracts are concluded or renewed.

This article describes the course of a data protection audit from the perspective of management and the data protection officer. You will learn which evidence must be prepared, how you close typical findings yourself before the audit, and where CIVAC's compliance platform and officer-as-a-service shorten the preparation effort. The aim: the auditor calls, the evidence is ready.

A data protection audit is a structured review of whether the processing of personal data complies with the requirements of the GDPR and the BDSG. What is examined is not good intentions, but verifiable implementation. Auditors orient themselves on Art. 5 GDPR (principles), Art. 24 GDPR (responsibility), Art. 28 GDPR (processing on behalf), Art. 30 GDPR (record), Art. 32 GDPR (security) and the data subject rights under Art. 12 to 22 GDPR.

In practice, auditors work through sampling lists: they select three to five processing activities, pull the associated legal bases, erasure concepts, processing agreements and TOM descriptions, and check whether the documentation matches the practice that is actually lived. If a gap is found, the test is widened. A second, separately examined track is responsiveness: how quickly was the last data subject request answered, how long did the last security incident notification take, who signed it?

The external auditor does not expect perfection, but consistency. An honestly maintained list of deficiencies with an action plan is more robust than a smoothed-over documentation without tickets. More on this in the profile of the external data protection officer, who usually leads the audit preparation.

Three audit types occur in practice. First, the internal audit, carried out by the data protection officer or an internal audit function. It serves self-monitoring and provides the data basis for the DPO's annual activity report. Second, the external audit, triggered by a parent company, investor, insurer or certification body. Third, the audit by the supervisory authority under Art. 58(1)(b) GDPR, usually after a complaint or data breach.

The requirements differ in depth, not in methodology. An internal audit may remain more agile, an external one requires formal reports, an audit by the authority ends with an appealable decision. Fines under Art. 83 GDPR reach up to EUR 20 million or 4 percent of global annual turnover, whichever is higher. The reputational effect alone usually weighs more heavily in B2B relationships.

A frequently underestimated trigger is customer audits from the supply chain. Banks, insurers and KRITIS operators now audit their service providers annually, often with questionnaires of 80 to 200 items. Anyone who cannot pull the answers from a central workspace loses sales time. An appointment certificate of the DPO, stored in the audit folder, ends the discussion about responsibility in the first minute.

The core of a data protection audit is the presentation of evidence. The following documents are routinely mandatory: an up-to-date record of processing activities under Art. 30 GDPR, the written appointment of the data protection officer including the report to the supervisory authority under Art. 37(7) GDPR, processing agreements under Art. 28 GDPR with all service providers, documented technical and organisational measures under Art. 32 GDPR, a data breach log with a notification path within 72 hours under Art. 33 GDPR, and training documentation under Art. 39(1)(b) GDPR.

In addition there are role-specific records: data protection impact assessments under Art. 35 GDPR for high-risk processing, the erasure concept under Art. 17 GDPR, the authorisation concept, and the logging of administrative access. Anyone who transfers data to third countries keeps standard contractual clauses under Art. 46 GDPR and a documented transfer impact assessment ready.

In the CIVAC workspace, this evidence lies bundled, versioned and provided with reminders. 37 ready-to-use audit templates cover the typical sampling fields. The appointment certificate, signed, filed, verifiable. The auditor draws the sample, the workspace delivers the document, the appointment ends in one hour instead of three.

From audit practice, seven recurring findings crystallise. First, the record of processing that does not reflect the real tool stack, because new SaaS tools were introduced without data protection approval. Second, processing agreements with US providers that do not document the transfer impact assessment. Third, unclear roles between IT, HR and the DPO for employee data. Fourth, outdated TOM descriptions that still reference ISO/IEC 27001:2013 instead of ISO/IEC 27001:2022.

Fifth, missing logs for data subject requests; sixth, training that was carried out only by email distribution without proof of attendance; seventh, no documented 72-hour notification path for data breaches. Each of these findings can be closed before the audit if the lead time for it is planned in.

The method: a pre-audit walk-through, three weeks before the actual appointment. The DPO draws ten random samples from the record, checks the associated evidence, and creates an action list with responsible persons and target dates. Close the top 5 findings, document the rest with a plan. Auditors rate consistent self-review as mature governance.

Art. 33 GDPR obliges controllers to report a data breach to the supervisory authority within 72 hours of becoming aware. The clock starts on awareness. Auditors examine this path particularly thoroughly, because it cannot be invented after the fact. They ask: who decides whether it is notifiable? Who prepares the initial report? Which fields does the competent authority's notification form contain? How was the last near-miss documented?

A robust path consists of four elements: a written escalation matrix with named deputies, an assessment grid for classifying the risk of the breach, a set of templates for the notification to the authority, and an internal ticket system that logs every status change with a timestamp. Without a timestamp, no evidence.

With several officer roles, for example data protection and information security, the notification path must be interlocked with the NIS-2 notification path, which provides for a 24-hour early warning and a 72-hour follow-up report. CIVAC maps both paths in the same workspace, so that the reporting lines do not contradict each other. License the workspace for your internal officers, or have our officers appointed, depending on whether capacity or methodology is lacking.

An average external data protection audit for a company with 150 to 500 employees lasts 1.5 to 3 audit days, consisting of document study, sample interviews and a walk-through. Classic preparation takes 2 to 6 weeks of distributed working time, above all for gathering processing agreements, TOM descriptions and training records.

The cost structure splits into three blocks: internal preparation time (typically 40 to 120 person-hours), audit fees of the examining body (EUR 3,000 to 15,000 depending on depth), and follow-up on the findings (10 to 40 person-hours). Anyone who appoints an external data protection officer outsources the bulk of the preparation time and at the same time receives a second opinion drawn from audit experience.

The CIVAC SLA of 2 business days refers to the appointment and the initial workspace setup, not to the audit itself. It shortens the phase between the audit announcement and a complete body of evidence. Anyone in an ongoing contract negotiation with a customer audit questionnaire of more than 120 items in front of them gains noticeable time with this SLA. Others run compliance like a filing cabinet. We run it like software.

The audit report does not end the process, it begins it. Findings are classified as Major, Minor and Observation. Major findings require a written action plan within 14 days, usually with implementation deadlines between 30 and 90 days. Minor findings land in the next quarterly planning. Observations are noted in the risk documentation, without immediate measures arising.

Management should formally take note of the action plan and anchor responsibilities in a reporting line to the data protection officer. The DPO keeps the follow-up, checks implementation after the deadlines have passed, and files the result in the next activity report. Without this loop, the audit loses its function and becomes a mere formality.

In the workspace, the action plan can be kept as a linked chain of tasks, with automatic reminders before a deadline expires and an escalation to management in the event of delay. This track is worth its weight in gold at the next audit: it shows the auditor that the previous year's audit became effective. Audit-proof, documented, § 32 GDPR-proof.

Data protection and information security overlap above all at the TOMs. Anyone who operates an ISO/IEC 27001:2022 ISMS already covers a large part of the measures required under Art. 32 GDPR through the 93 controls of Annex A. The data protection auditor recognises this dual use, provided the mapping is documented in a mapping table.

In practice, an integrated audit programme pays off: a joint audit plan, separate audit days, shared evidence. The information security officer (ISO) delivers the TOM description, the DPO adds the data protection assessment, the audit examines both sides in one iteration.

For companies affected by KRITIS and NIS-2, this integrated approach is gradually becoming a mandatory exercise, because the notification paths and reporting lines overlap. Around 29,500 companies in Germany fall under NIS-2. Anyone who does not think of data protection and information security together doubles the preparation time without added value. CIVAC runs both roles in the same workspace, with shared audit templates and a continuous reporting line to management.

Anyone expecting a data protection audit in the next three months decides now between two paths. Path one: you have an internal DPO with capacity and only need the methodology. License the CIVAC workspace for your internal officers, pull the 37 audit templates, and work through the pre-audit walk-through in three weeks. Path two: your DPO seat is vacant or overloaded. Have our officers appointed, with an appointment certificate and a report to the supervisory authority within 2 business days.

In both cases, the benefit lies in shortening the preparation time and in reusing the evidence for customer audits, insurance audits and group reviews. The FAQ page answers the most common commercial questions; the role overview shows which other officers you can appoint from the same workspace.

If you want to get specific, write to info@civac.de or use the contact form. You will receive an answer on feasibility and the next step within one business day. Turn reading into a mandate.