GDPR and IT audit: how does an auditor assess your organization's privacy compliance?

Compliance6 min read·
K

Kees van der Vlies

Partner | IT Auditor

Also available in:Nederlands

The General Data Protection Regulation (GDPR) has been in force since 2018 and sets far-reaching requirements for the processing of personal data. Although the GDPR primarily provides a legal framework, compliance with it depends to a large extent on technical and organizational measures that fall within the domain of IT audit.

In a privacy audit, an IT auditor assesses whether the technical security measures are appropriate for the type of data being processed. The GDPR speaks of "appropriate technical and organizational measures" without prescribing a specific list. The auditor assesses whether the chosen measures are proportionate to the risk.

Access control is a core area. The auditor checks whether only authorized employees have access to personal data, whether the principle of least privilege has been applied, and whether access rights are reviewed periodically. Stricter requirements apply to sensitive data such as health data or citizen service numbers (BSN).

Encryption is another important point of attention. The GDPR explicitly mentions pseudonymization and encryption as possible security measures. The auditor assesses whether personal data is encrypted at rest and in transit, and whether the key management procedures are adequate.

The record of processing activities is a legal obligation that the auditor tests. Are all processing activities documented with the required information: purpose, legal basis, categories of data subjects, retention periods and technical measures? Is the record up to date and reviewed periodically?

Data Protection Impact Assessments (DPIAs) are mandatory for high-risk processing activities. The auditor checks whether DPIAs have been carried out where necessary, whether the identified risks have been mitigated, and whether there is a process to determine when a DPIA is required.

The right to erasure and data portability places technical requirements on systems. Can the organization actually delete personal data from all systems, including backups and logs? Can data be exported in a structured, commonly used format?

Finally, the auditor assesses the incident response process. The GDPR requires notification to the Dutch Data Protection Authority within 72 hours of discovering a data breach. Is there a data breach procedure? Is it tested regularly? Are employees trained to recognize data breaches?

Secure Audit combines IT audit expertise with knowledge of privacy law to provide an integrated assessment of technical GDPR compliance. Contact us for a privacy audit or assessment.

About the author

K
Kees van der Vlies

Partner | IT Auditor

Back to knowledge base

Have a question?

Get in touch for advice on IT audit, compliance and information security.

Contact us