A U D I T A N D A S S U R A N C E

HOW TO
AUDIT GDPR

© 2017 ISACA. All Rights Reserved.

Personal Copy of Carlos Lobos Medina (ISACA ID: 565260)
2 HOW TO AUDIT GDPR

CONTENTS
4 Introduction
5 Overview of GDPR
6 Auditing GDPR: Key Principles
​6 ​ /​Data​Controller​vs.​Data​Processor
​7 /​Lawfulness,​Accuracy,​Fairness​and
Transparency
7 / Lawfulness
7 / Accuracy
8 / Fairness
9 / Transparency
​1 0 /​Purpose​Limitation
​1 0 /​Data​Minimization
​1 1 /​Storage​Limitation
​1 2 /​Confidentiality,​Integrity​and
Availability
12 / Confidentiality
12 / Integrity
12 / Availability
​1 3 /​Third-Party​Data​Processors
14 Conclusion
15 Acknowledgments

© 2018 ISACA. All Rights Reserved.

Personal Copy of Carlos Lobos Medina (ISACA ID: 565260)

3 HOW TO AUDIT GDPR

ABSTRACT
The​General​Data​Protection​Regulation​(GDPR)​introduces​new​rules​that​govern​the​use
and​manipulation​of​personal​data.​Auditors​will​be​indispensable​in​helping​enterprises
adhere​to​these​rules​and​maintain​compliance.​This​white​paper​explores​the​role​of
audit​with​respect​to​GDPR​and​outlines​how​audits​can​be​delivered​in​an​effective​and
efficient​manner.

© 2018 ISACA. All Rights Reserved.

Personal Copy of Carlos Lobos Medina (ISACA ID: 565260)

 4 HOW TO AUDIT GDPR

Introduction
The​General​Data​Protection​Regulation​2016/679​(GDPR) communications​technologies​that​corporations​and
became​effective​on​25​May​2018​in​the​European​Union. governments​use​to​connect​with​data​subjects.
It​supersedes​the​Data​Protection​Directive​95/46/EC.
In​1989,​the​concept​of​universal​access​to​a​World​Wide
The​Data​Protection​Directive​95/46/EC​differed​from​the Web​was​essentially​science​fiction.​Over​the​last​30
new​GDPR​in​that​it​was​issued​as​a​directive,​not​a years,​data​protection​legislation​has​developed​little
regulation.​Simply​put,​under​EU​law,​directives​set​out beyond​its​initial​attempts​to​address​traditional
goals​to​be​achieved​by​all​member​countries,​who​have communication​systems,​despite​monumental​advances
the​authority​to​decide​upon​the​nature​of​implementation. in​the​complexity​and​scope​of​data​traffic​over​the
Regulations,​on​the​other​hand,​are​acts​of​European Internet.
Parliament​and,​therefore,​are​binding​upon​all​member
GDPR​gives​EU​residents​control​over​their​personal​data1
countries​of​the​Union​and​supersede​national​laws.
wherever​in​the​world​they​or​their​data​may​reside.​It​not
1

Because​the​Data​Protection​Directive​was,​in​fact,​a only​standardizes​regulation​across​the​EU​and​the
directive,​there​was​a​lack​of​consistency​in​its​application European​Economic​Area​(EEA),​it​also​affects​all
across​the​EU.​GDPR​seeks​to​rectify​this​but​member enterprises​that​process​data​from​EU/EEA​countries.
states​have​been​allowed​derogations​that​have​to​be Penalties​for​noncompliance​are​severe.​Enforcement
justified​on​grounds​of​national​interest. authorities​can​impose​fines​up​to​4​percent​of​worldwide
revenue​or​€20​million,​whichever​is​higher.
Historically,​authorities​have​lagged​behind​rapid
advances​in​technology​when​approaching​data Figure 1 represents​key​domains​and​associated
protection​regulation,​particularly​in​regard​to requirements​under​GDPR.

FIGURE 1: Key​GDPR​Domains​and​Requirements
Yes DPO required
Response plan
Data processor DPO required
Communicate within 72 hours of
discovery DPO No Public sector DPO required
Data breach
Impact assessment Store or process sensitive data DPO required
Fix No DPO not required
Document data processing Identify
activities Information systems that store or
Secure
Who you are process personal data
Monitor
What you are doing with the data
Documentation Process for rejection
Legal basis for storing and Internal processes
Privacy notices Process for response
processing
Develop systems and allocate
Data retention periods resources to validate and respond to Process for porting data
GDPR subject access requests
Right of complaint to the ICO Process for amending
What
Process for erasure
Where
Management awareness
Why Awareness
Data audit Operations training
Whom it is shared with
Origin Legally entitled

Explicit consent (revocable)

Format
Legitimacy Verify age
Understand when to conduct a Children If ‘global’ company, minimum age
data privacy impact assessment varies across states
(DPIA - Article 35) New systems
Select lead supervisory authority
Implement security by design Global company
Notify local supervisory body

1
1
GDPR​defines​personal​data​as​“any​information​relating​to​an​identified​or​identifiable​natural​person​(‘data​subject’).”​See​GDPR​Article​4​(1).

© 2018 ISACA. All Rights Reserved.

Personal Copy of Carlos Lobos Medina (ISACA ID: 565260)

 5 HOW TO AUDIT GDPR

Today,​search​and​social​media​titans​like​Google​and
Facebook​exemplify​the​ubiquity​and​accessibility​of
personal​data.​To​address​this​vast​capacity​for​acquiring,
storing​and​transmitting​personal​data​across​countless
enterprises​and​governments​alike,​GDPR​advances​new
rules​that​limit​the​use​and​processing​of​personal​data
regardless​where​the​activities​are​conducted.​Auditors
are​critical​resources​in​helping​enterprises​achieve​and
maintain​compliance.​Because​GDPR​is​a​new,​complex
and​comprehensive​regulation​that​impacts​multiple
functional​areas​within​an​enterprise,​auditors​will​have
many​questions​and​face​new​challenges​when​executing
their​duties.​This​paper​anticipates​issues​likely​to​arise
under​GDPR,​and​answers​questions​that​auditors​have
not​historically​faced​when​conducting​engagements.

Overview of GDPR
GDPR​unifies​data​privacy​laws​across​the​European looking​at​GDPR​in​the​way​that​Working​Party​292 of​the
Union,​gives​individuals​control​over​their​personal​data European​Commission​intended:​as​a​holistic​approach​to
2

and​protects​their​privacy.​It​extends​the​scope​of​EU​data
protection​law​to​all​international​enterprises​processing
the​data​of​EU​citizens,​wherever​citizens​may​reside.
Traditionally,​data​protection​involved​a​relatively​simple
set​of​rules​that​enterprises​followed​in​managing
personal​data.​Auditors​developed​a​suite​of​audit
programs​to​validate​compliance​with​personal​data​laws,
regulations​and​internal​policies.
GDPR​looks​at​all​data​from​the​perspective​of​the​data
subject​or​“natural​person,”​per​the​terminology​of​the
regulation.​This​shift​in​regulatory​perspective​implicitly
challenges​a​corporate​ethos​of​self-interest​that​has
traditionally​considered​corporate​needs​first​and​the
rights​of​data​subjects​second.
Accordingly,​GDPR​forces​auditors​to​change​their
approach​to​personal​data​and​their​protection​in​an
enterprise.
Until​court​rulings​begin​to​interpret​and​apply​GDPR,​and
ultimately​yield​a​critical​mass​of​case​law​to​inform
auditing​norms​in​actual​practice,​auditors​and​others​will
perhaps​not​have​complete​clarity​on​the​set​of​validation
rules.​In​the​intervening​period,​auditors​should​consider
protecting​citizens’​personal​data,​with​the​interests​of​the
individual​at​its​core.​GDPR​develops​the​premise​of
individual​data​subjects​being​the​owners​of​their​personal
data​and​conferring​rights​and​responsibilities​on​those
with​whom​the​data​are​shared.​As​GDPR​principles
become​embedded​in​corporate​processes​it​could​be
said​that​focusing​on​the​rights​of​the​data​subject​now
displaces,​or​perhaps​replaces,​corporate​self-interest.
Many​readers​may​question​the​concept​of​ownership​in
the​age​of​big​data.
In​the​longer​term,​whether​the​concept​of​ownership​is
compatible​with​the​growth​in​the​digital​economy,
governments​and​corporates​share​information​in​huge
quantities​and​at​an​increasingly​granular​level.​It​is​used
for​security,​commerce​and​by​political​parties.​In​many
cases​it​is​used​to​model​human​behavior​at​an​individual
or​collective​level.​For​example,​recently,​TechCrunch,​a
digital​economy​news​site,​noted,​“Uber,​the​world’s​largest
taxi​company,​owns​no​vehicles.​Facebook,​the​world’s
most​popular​media​owner,​creates​no​content.​Alibaba,
the​world’s​most​valuable​retailer,​has​no​inventory.​And
Airbnb,​the​world’s​largest​accommodation​provider,​owns
no​real​estate….​Something​interesting​is​happening.”3 3

2
The​Article​29​Working​Party​included​representatives​from​the​data​protection​authority​of​each​EU​member​state,​the​European​Data​Protection
Supervisor​and​the​European​Commission.​On​25​May​2018,​it​was​replaced​by​the​European​Data​Protection​Board,​under​GDPR.
2

3
Goodwin,​T.;​“The​Battle​Is​For​The​Customer​Interface,”​TechCrunch,​3​March​2015,​https://techcrunch.com/2015/03/03/in-the-age-of-disintermediation-
the-battle-is-all-for-the-customer-interface/
3

© 2018 ISACA. All Rights Reserved.

Personal Copy of Carlos Lobos Medina (ISACA ID: 565260)

 6 HOW TO AUDIT GDPR

This​area​of​ownership​vs.​state​and​corporate​need​will FIGURE 2: Information​Risk

likely​lead​to​organizations​pushing​the​envelope,​which
could​lead​to​some​interesting​legal​challenges​in​the
years​to​come.​But​in​the​meantime,​auditors​will​need​to
be​mindful​of​profiling​and​construct​audit​programs​to
provide​assurance​that​this​area​of​risk​is​addressed
People
Processes
accordingly.

Auditing​GDPR​is​about​assessing​the​controls​put​in
place​to​respond​to​risk;​it​should​consider​the​trio​of​risk Technology

(figure 2)​across​all​facets​of​an​enterprise:

• ​People

• ​Processes

• T
​ echnology

Information Risk

Auditing GDPR: Key Principles

This​white​paper​places​each​of​the​six​principles​of​GDPR
into​an​audit​perspective.​While​it​does​not​cover​all​the
elements​and​nuances​of​the​regulation,​it​does​identify
where​GDPR​can​be​considered​within​an​audit​that​is
already​in​the​enterprise’s​strategic​audit​plan.​It​also
suggests​where​additional​audits​specific​to​aspects​of
GDPR​should​be​developed​and​added​to​the​overall
enterprise​audit​plan.
GDPR​Article​5​(2)​states,​“The​controller​shall​be
responsible​for,​and​be​able​to​demonstrate​compliance”
with​GDPR​by​ensuring​that​personal​data​are​processed
in​accordance​with​the​following​six​principles:
1 Lawfulness,​fairness​and​transparency
Data Controller vs. Data
Processor
Under​GDPR,​a​data​controller​is​“the​natural​or​legal
person,​public​authority,​agency​or​other​body​which​alone
or​jointly​with​others,​determines the​purposes​and​means
of​the​processing​of​personal​data.”​This​is​not​to​be
confused​with​a​data​processor​who,​under​GDPR,​is​a
“natural​or​legal​person,​public​authority,​agency​or​other
body​which​processes​personal​data​on behalf of​the
controller.”
In​other​words,​a​data​processor​acts​only​on​the
instruction​of​a​data​controller.

2 Purpose​limitations By​making​the​data​controller​responsible,​he/she​is​also
3 Data​minimization accountable,​and​this​sometimes​finds​itself​incorrectly
4 Accuracy referred​to​as​the​seventh​principle.​In​reality,​the​controller
5 Storage​limitations is​accountable for​ensuring​compliance​with​the​six​key
6 Integrity and confidentiality principles​referred​to​previously.​Auditors​are​concerned
Each​ of ​the ​above ​principles ​is ​explored​ in ​more ​detail​ with​validating​the​level​of​compliance.
later​ in this​paper.

© 2018 ISACA. All Rights Reserved.

Personal Copy of Carlos Lobos Medina (ISACA ID: 565260)

Personal Copy of Carlos Lobos Medina (ISACA ID: 565260)
 FIGURE 4: Data​Audit—Records​of​Processing​for​Each​Business​Function

Has a personal data breach

occurred?

Link to record of personal data

Data breach breach

Supervisory authority
Data breach notification
Data subject(s)

Personal Copy of Carlos Lobos Medina (ISACA ID: 565260)

9 HOW TO AUDIT GDPR
3 Right​to​erasure​of​the​data​(right​to​be​forgotten)
4 Right​to​restriction​of​processing
5 Right​to​data​portability​(to​be​given​personal​data​in​a
structured​and​commonly​used​and​machine-readable​format
and​transmit​such​data​to​another​controller)
6 Right​to​object​to​the​processing​of​personal​data,​including
profiling
7 Right​not​to​be​subject​to​a​decision​based​solely​on​automated
processing,​including​profiling,​where​such​processing​may​have
legal​ramifications​or​significantly​affect​the​rights​of​the​data
subject
These​rights​are​exercised​through​a​subject​access
request​(SAR).​While​SARs​have​been​common​in​the
United​Kingdom​for​a​number​of​years,​albeit​not​in​high
volumes​and​predominantly​relating​to​employment
issues,​GDPR​introduces​greater​rigor.​The​organization’s
response​must​meet​requirements​for​time​scales​and
information​provided.
A GDPR SAR audit will be an audit of processes and the
design and effective implementation of controls (figure 5).
FIGURE 5: Subject​Access​Request​(SAR)​Path
Request Validation Response
Each​process​begins​with​a​request,​goes​through
validation​and​results​in​a​response.​Auditors​are
interested​in​evaluating​the​appropriateness​of​the
process​and​testing​its​effectiveness​and​the​consistency
of​its​application.
New​applications​may​have​access​request​policies​built
in,​but​auditors​should​ascertain​whether​these
applications​have​been​correctly​configured​and​examine
how​they​interface​with​a​SAR​system​that​may​have​been
procured​or​created​to​manage​this​process.
An​area​that​may​concern​many​organizations​is​backup
and​recovery.​The​backup​industry​has​been​promoting
image-based​backups​for​disaster​recovery,​but​these
create​challenges​in​relation​to​GDPR,​where​a​full​restore
is​required.​Enterprises​must​put​processes​in​place​to
deal​with​reapplication​of​data​changes​under​the​right​to
© 2018 ISACA. All Rights Reserved.
Personal Copy of Carlos Lobos Medina (ISACA ID: 565260)
be​forgotten​and​right​to​rectification​in​these
circumstances.
Auditors​should​validate​that​the​systems​created​to
ensure​that​personal​data​that​have​been​put​out​of​reach
as​a​result​of​a​SAR​keep​those​data​out​of​reach​in​the
event​of​a​full​restore​from​backup.
Transparency
GDPR​Article​12​requires​that​any​information​the​data
controller​(enterprise)​gives​to​the​data​subject​(individual)
about​its​data​processing​practices​must​be​concise,
transparent,​intelligible​and​in​easily​accessible​form,​and
must​be​provided​in​writing​within​one​month,​at​the
latest.
GDPR​does​not​give​a​definition​of​a​month​but​Recital​59
states,​“The​controller​should​be​obliged​to​respond​to
requests​from​the​data​subject​without​undue​delay​and
at​the​latest​within​one​month​and​to​give​reasons​where
the​controller​does​not​intend​to​comply​with​any​such
requests.”​It​does​not​suggest​a​specific​number​of​days,
so​this​is​open​to​organizations​to​interpret.​Whether​an
organization​defines​a​specific​number​of​days​or​refers​to
a​calendar​month​appears​to​be​within​its​authority;
however,​whatever​the​choice,​it​should​be​documented
and​consistently​applied.
GDPR​also​does​not​expand​on​when​the​clock​starts
ticking​in​terms​of​responding​to​a​SAR.​However,​on​the
basis​that​providing​personal​data​to​the​wrong​data
subject​would​constitute​a​data​breach,​it​is​reasonable​to
assume​that​an​organization​should​undertake​checks​to
validate​the​authenticity​of​a​SAR​before​issuing​a
response.​It​is​then​also​reasonable​to​assume​that,​once
the​identity​of​the​data​subject​has​been​confirmed,​the
clock​starts.
In​addition​to​auditors​reviewing​and​validating​the​SAR
response​log,​they​also​need​to​consider​whether​the
information​provided​is​indeed​concise,​complete,
accurate​and​easily​understandable.​If​this​is​not​the​case,
then​the​organization​should​look​at​the​reasons​why​and
amend​accordingly.
 10 HOW TO AUDIT GDPR

why​it​is​collecting​data,​what​the​data​are​used​for​and
Purpose Limitation
whether​their​use​complies​to​the​stated​processing
Article​5​also​states,​“Personal​data…shall​be​collected​for
purpose.​The​simplest​approach​is​to​create​a​schedule​of
specified,​explicit​and​legitimate​purposes​and​not​further
uses​of​personal​data​and​link​this​schedule​to​the
processed​in​a​manner​that​is​incompatible​with​those
personal​data​stored.​Auditors​should​expect​that​records
purposes.”
are​flagged​with​a​reference​to​a​defined​purpose​that​will
Data​collected​for​one​purpose​cannot​be​repurposed in​turn​define​the​basis.​Auditors​should​also​expect​to​see
without​further​consent.​Auditors​need​to​understand​that evidence​of​validation​and​a​link​to​a​records​retention​and
the purpose​limitation​in​GDPR​is​very​narrow.​This​ deletion​policy.
narrow interpretation​was​underlined​in​a​recent​ruling​in​
France regarding​Direct​Energie.​This​ruling may​be​
Data Minimization
viewed​as​a​sign​of​things​to​come​under​GDPR.
Article​5​states,​“Personal​data…shall​be​adequate,
In​this​case,​CNIL​(Commission​nationale​de relevant​and​limited​to​what​is​necessary​in​relation​to​the
l’informatique​et​des​libertés)​board,​which​enforces​law purposes​for​which​they​are​processed.”
on​data​protection​in​France,​issued​a​formal​notice​to
Processing​should​use​only​the​data​specifically​required
Direct​Energie​for​failing​to​obtain​consent​for​the
to​accomplish​a​given​task.​Thus,​to​comply​with​GDPR,
collection​of​customer​usage​data​from​its​Linky​smart
enterprises​must​implement​data​minimization​rules​and
meters,​and​ordered​it​to​collect​valid​consent​for​the
processes​at​every​step​of​the​data​life​cycle.
processing.
Enterprises​must​limit​personal​data​collection,​storage
CNIL​observed​that​at​the​time​of​the​installation​of​the
and​usage​to​what​is​relevant​and​necessary​for
Linky​meter,​customers​were​asked​to​provide​a​single
processing.​A​new​trend​should​emerge—less​is​more—
consent​for​the​installation​of​the​meter​and​for​the
and​enterprises​should​not​collect​and​store​personal​data
collection​of​hourly​electricity​consumption​data​as​a
just​in​case​they​might​become​useful​in​the​future.
corollary​of​the​activation​of​the​meter​and​in​order​to
benefit​from​certain​tariffs;​however,​as​the​installation The​key​consideration​is​that​only​the​minimum​data​for​a
was​mandatory,​customers​were​in​fact​only​consenting defined​purpose​are​collected​and​stored.​For​example,
to​the​data​collection.​Therefore,​CNIL​determined​that employers​who​collect​sensitive​medical​data​about​their
consent​obtained​in​such​a​way​by​Direct​Energie​was employees​will​have​to​consider​the​reasons​why​they​do
invalid,​as​it​could​not​be​considered​free,​informed​and so.​For​example,​the​question​can​be​raised​as​to​whether
specific.​In​addition,​further​shortcomings​were​found​in the​data​are​relevant​if​an​individual:
relation​to​the​collection​of​daily​consumption​data​from
1 Had​a​hospital​stay​three​years​ago​to​have​a​wisdom​tooth
the​distribution​network​operator,​which​took​place
removed
without​requesting​customers’​consent.4
2 Suffers​from​epilepsy
4

For​companies​and​their​auditors,​this​is​likely​to​be​a
tricky​area​and​one​that​will​see​much​activity​in​the
courts.​Auditors​should​be​interested​in​the​systems​that
have​been​put​in​place​to​validate​the​purpose,​especially
where​consent​is​the​basis.​Each​enterprise​should​know
The​first​may​not​be​relevant,​but​the​second​could​be
relevant​with​regard​to​safeguarding​treatment​of​patients
in​the​future.​Each​individual​scenario​needs​to​be
considered​on​its​own​merits.

4
DataGuidance,​France: CNIL’s notice to DIRECT ENERGIE on collection of smart meter data “indication of likely approach of DPAs post-GDPR,” 29​March
2018,​https://www.dataguidance.com/france-cnil-notice-direct-energie-collection-smart-meters-data-indication-likely-approach-dpas-post-gdpr/
4

© 2018 ISACA. All Rights Reserved.

Personal Copy of Carlos Lobos Medina (ISACA ID: 565260)

11 HOW TO AUDIT GDPR
The​key​for​the​auditor​is​to​assess​the​processes​and
associated​rules​that​have​been​established​to​validate
the​data​collected.
An​enterprise​should​be​able​to​create​a​set​of​purposes
that​are​governed​by​auditable​rules​and​assign​these
rules​to​each​data​source.
Storage Limitation
GDPR​Article​5​states:
Personal data shall be kept in a form which permits
identification of data subjects for no longer than
necessary for the processing purposes; personal
data may be stored for longer periods insofar as the
personal data will be processed solely for archiving
purposes in the public interest, scientific or
historical research purposes or statistical purposes.
The​key​phrase​to​consider​here​is​“permits​identification.”
Auditors​should​conclude​from​this​that​so​long​as​the
systems​and​processes​work​to​anonymize​the​data​at​a
given​point​in​time​then​it​is​acceptable​to​keep​and​utilize
the​data​for​modeling.​In​the​context​of​GDPR,​the
systems​and​processes​that​have​been​put​in​place​must
prevent:
• ​Singling out—Is​it​possible​to​isolate​someone​in​particular
through​the​data?
• ​Linkage—Is​it​possible​to​link​at​least​two​records​concerning
the​same​data​subject?
• ​Inference—Is​it​possible​to​deduce​information​about​one
person?
Once​data​are​anonymized,​GDPR​no​longer​applies,​but
when​data​are​truly​anonymized​they​are​considered​by
some​to​have​lost​much​of​their​value.
One​solution​to​this​is​pseudonymization​that​involves
replacing​personally​identifiable​data​within​a​data​record
with​artificial​identifiers,​or​pseudonyms.​The​pseudonyms
make​the​data​records​unidentifiable​when​they​are
shared,​but​the​data​can​be​restored​to​their​original​state
eventually,​allowing​individuals​to​be​reidentified.​This
white​paper​does​not​explore​this​concept​to​any​great
© 2018 ISACA. All Rights Reserved.
Personal Copy of Carlos Lobos Medina (ISACA ID: 565260)
length​except​to​say​that​pseudonymization​may
significantly​reduce​the​risk​associated​with​data
processing,​while​also​maintaining​the​data’s​value.
Auditors​should​be​concerned​with​validating​these
processes​and​their​consistent​application.​Auditors
should​approach​with​caution​and​consider​retention​first
and​foremost​in​terms​of​other​legislation​and​regulation
before​GDPR​and​the​enterprise’s​needs.​GDPR​only
replaces​existing​data​protection​legislation​and​does​not
overwrite​other​existing​legislation​such​as​that​relating​to
record​retention​(e.g.,​for​tax​purposes).
An​enterprise​should​build​into​its​records​retention​and
deletion​policies​(both​manual​and​electronic)​the​rules
that​ensure​compliance​with​legislation​and​regulation.
Auditors​are​familiar​with​a​records​retention​review​in
that​it​covers:
• ​All​manual​and​electronic​data,​including​emails​
• ​Industry​or​sector​standards​and/or​best​practice​where
retention​is​subject​to​specific​requirements
The​systems​and​technologies,​in​turn,​support​basic
internal​and​external​compliance​requirements.​For
example,​they:
• ​Provide​ways​to​track​and​audit​retention​management
• ​Automate​and​enforce​records​destruction​policies
• ​Enforce​security​requirements​such​as​access​control​and
tracking
• ​Record​and​audit​for​physical​and​electronic​records,​and
security​for​modification​and​deletion​rights​with​tracking
Where​electronic​data​recording​systems​are​used​and
offer​facilities​allowing​retention​periods​to​be​set,​the
auditor​should​confirm​that​the​facilities​are​being​used
and​the​configured​retention​dates​conform​to​the​policy’s
data​review​requirements.​In​addition,​it​is​incumbent​on
the​auditor​to​ensure​the​procedures​are​not​only​followed
but​adequate.​Is​the​actual​destruction​of​personal​data
properly​carried​out​in​accordance​with​the​enterprise’s
policy?​Does​the​enterprise​dispose​of​IT​software​and
hardware​in​a​manner​that​fully​conforms​to​the
enterprise’s​policy?
Personal Copy of Carlos Lobos Medina (ISACA ID: 565260)
ISACA​has​produced​a​publication​titled​Information
Security Management Audit/Assurance Program,5 which​is 5

• ​Breach​response​plan

• ​Privacy​policy

5
ISACA,​Information Security Management Audit/Assurance Program,​2010,​www.isaca.org/Knowledge-
Center/Research/ResearchDeliverables/Pages/Information-Security-Management-Audit-Assurance-Program.aspx
5

Personal Copy of Carlos Lobos Medina (ISACA ID: 565260)

14 HOW TO AUDIT GDPR

Conclusion
GDPR​does​not​reflect​a​whole​new​philosophy​regarding
auditing​personal​data.​Rather,​it​builds​upon​the​basic
application​of​good​information​governance​practices,
albeit​with​a​greater​emphasis​on​transparency​than​an
auditor​might​have​previously​encountered.
Providing​audit​assurance​on​GDPR​is​not​a​one-off
process;​the​regulation​requires​auditors​to​consider
personal​data​throughout​the​enterprise’s​annual​audit
plan.​While​some​might​argue​that​processing​a​SAR​is
relatively​new,​others​might​counter​by​saying​that​the
SAR​is​just​another​element​of​management
information/reporting​and,​as​such,​needs​to​be​accurate,
concise​and​timely.​The​distinction​is​that​the​recipient
happens​to​be​a​member​of​the​public​rather​than​a
member​of​the​board​or​a​regulatory​body.
Auditors​will​be​better​served​not​to​think​in​terms​of
GDPR​but​rather​of​data​and​the​application​of​the​rules.

© 2018 ISACA. All Rights Reserved.

Personal Copy of Carlos Lobos Medina (ISACA ID: 565260)

15 HOW TO AUDIT GDPR

​Acknowledgments
Lead Developer ISACA Board of Directors
Steven Connors Rob Clyde, Chair Chris K. Dimitriadis, Ph.D.
FFA,​FFTA,​FIPA CISM ISACA​Board​Chair,​2015-2017
IT​Partner,​United​Kingdom Clyde​Consulting​LLC,​USA CISA,​CRISC,​CISM
INTRALOT,​Greece
Expert Reviewers
Brennan Baybeck, Vice-Chair
CISA,​CRISC,​CISM,​CISSP Matt Loeb
Graham Carter Oracle​Corporation,​USA CGEIT,​CAE,​FASAE
Corporate​IS​Risk​and​Compliance Chief​Executive​Officer,​ISACA,​USA
Manager,​United​Kingdom Tracey Dedrick
Former​Chief​Risk​Officer​with​Hudson Robert E Stroud (1965-2018)
Jo Stewart-Rattray City​Bancorp,​USA ISACA​Board​Chair,​2014-2015
CISA,​CRISC,​CISM,​CGEIT,​FACS​CP CRISC,​CGEIT
Director​of​Information​Security​and​IT Leonard Ong
XebiaLabs,​Inc.,​USA
Assurance,​Australia CISA,​CRISC,​CISM,​CGEIT,​COBIT​5
ISACA is deeply saddened by the passing
Implementer​and​Assessor,​CFE,​CIPM,
Laszlo Dellei of Robert E Stroud in September 2018.
CIPT,​CISSP,​CITBCM,​CPP,​CSSLP,​GCFA,
CCISO,​ITIL GCIA,​GCIH,​GSNA,​ISSMP-ISSAP,​PMP
Partner,​Budapest Merck​&​Co.,​Inc.,​Singapore

Scott Rosenmeier R.V. Raghu

CISSP,​ISSAP,​ISSMP CISA,​CRISC
Senior​Information​Security​Manager, Versatilist​Consulting​India​Pvt.​Ltd.,​India
Germany
Gabriela Reynaga
Michael J. Podemski CISA,​CRISC,​COBIT​5​Foundation,​GRCP
CIPM,​CIPT Holistics​GRC,​Mexico​
Senior​Manager,​Advisory​Services,​USA
Gregory Touhill
CISM,​CISSP
Cyxtera​Federal​Group,​USA​

Ted Wolff
CISA
Vanguard,​Inc.,​USA

Tichaona Zororo
CISA,​CRISC,​CISM,​CGEIT,​COBIT​5
Assessor,​CIA,​CRMA
EGIT​|​Enterprise​Governance​of​IT,​South
Africa

Theresa Grafenstine
ISACA​Board​Chair,​2017-2018
CISA,​CRISC,​CGEIT,​CGAP,​CGMA,​CIA,
CISSP,​CPA
Deloitte​&​Touche​LLP,​USA

© 2018 ISACA. All Rights Reserved.

Personal Copy of Carlos Lobos Medina (ISACA ID: 565260)

16 HOW TO AUDIT GDPR

About​ISACA
1700​E.​Golf​Road,​Suite​400​
Nearing​its​50th​year,​ISACA® (isaca.org)​is​a​global​association​helping
Schaumburg,​IL​60173,​USA
individuals​and​enterprises​achieve​the​positive​potential​of​technology.
Technology​powers​today’s​world​and​ISACA​equips​professionals​with​the
Phone: +1.847.660.5505
knowledge,​credentials,​education​and​community​to​advance​their​careers
and​transform​their​organizations.​ISACA​leverages​the​expertise​of​its​half- Fax: +1.847.253.1755
million​engaged​professionals​in​information​and​cyber​security,​governance,
assurance,​risk​and​innovation,​as​well​as​its​enterprise​performance Support: support.isaca.org

subsidiary,​CMMI® Institute,​to​help​advance​innovation​through​technology.
Website: www.isaca.org
ISACA​has​a​presence​in​more​than​188​countries,​including​more​than​217
chapters​and​offices​in​both​the​United​States​and​China.

About​ACL
Provide Feedback:
ACL’s purpose-built, cloud-based platform helps IT teams manage www.isaca.org/how-to-audit-GDPR
governance over cybersecurity, privacy, regulations, risk and compliance. ACL
makes it easy to continuously analyze data, enabling robotic automation of Participate in the ISACA
Knowledge Center:
www.isaca.org/knowledge-center
governance activities and visualization of patterns. And with over 30 years of
experience, built-in best practices and a professional development ecosystem,
ACL quickly helps IT managers work more efficiently, identify and mitigate Twitter:
risk, reduce compliance pressures, and ensure audit and regulatory readiness. www.twitter.com/ISACANews

LinkedIn:
For more information, please visit: www.acl.com.
www.linkd.in/ISACAOfficial
DISCLAIMER
Facebook:
ISACA​has​designed​and​created​How to Audit GDPR (the​“Work”)​primarily​as www.facebook.com/ISACAHQ
an​educational​resource​for​professionals.​ISACA​makes​no​claim​that​use​of
Instagram:
any​of​the​Work​will​assure​a​successful​outcome.​The​Work​should​not​be
www.instagram.com/isacanews/
considered​inclusive​of​all​proper​information,​procedures​and​tests​or
exclusive​of​other​information,​procedures​and​tests​that​are​reasonably
directed​to​obtaining​the​same​results.​In​determining​the​propriety​of​any
specific​information,​procedure​or​test,​professionals​should​apply​their​own
professional​judgment​to​the​specific​circumstances​presented​by​the
particular​systems​or​information​technology​environment.

RESERVATION OF RIGHTS

© 2018 ISACA. All rights reserved.

HOW TO AUDIT GDPR

© 2018 ISACA. All Rights Reserved.

Personal Copy of Carlos Lobos Medina (ISACA ID: 565260)

Are you confident in
YOUR GDPR
ASSURANCE
PROGRAM?
Implementing an effective GDPR compliance program is a significant challenge—and delivering GDPR
assurance demands a change from business as usual.

You can tame the challenge. ACL is the perfect  Get up and running fast with our industry-leading
platform to help you define and execute an SaaS-based solution

effective and efficient GDPR audit program.  Uncover potential data governance issues with data-
driven analytics

ACL’s single, centralized platform helps you
manage, audit, and report on your GDPR
program and any other obligations—whilst
providing continuous governance and oversight.
 Work with ISACA GDPR pre-loaded frameworks,
compliance maps, and best practice accelerators
 Automate workflows and reduce audit execution time
 Demonstrate GDPR compliance with rich, real-time
reporting and dashboards.

ACL’s governance technology powered

by data automation can help you get there.
Download your GDPR Success Kit at acl.com/ISACA-GDPR

Personal Copy of Carlos Lobos Medina (ISACA ID: 565260)