GDPR does not name an annual audit the way some regimes do, but it builds the equivalent into the accountability principle: under Article 5(2) a controller must not only comply but be able to demonstrate compliance. A data protection audit is how an organization tests and evidences that. It centers on the record of processing activities under Article 30, which inventories what personal data is processed and why, and on the Data Protection Officer's task under Article 39 of monitoring compliance. A supervisory authority can also audit a controller directly through its investigative powers.
GDPR's enforcement turns on a single shift in burden: it is not enough to comply, you must be able to show it. That is the accountability principle, and it is what makes a data protection audit a practical necessity rather than an optional exercise. This guide covers where the audit obligation comes from, the record of processing activities at its center, the DPO's monitoring role, the supervisory authority's own audit power, and where these audits fall short.
Where the obligation comes from
Article 5(2) sets out the accountability principle: the controller is responsible for, and must be able to demonstrate compliance with, the data-protection principles. Article 24 reinforces it, requiring the controller to implement measures and to review and update them. Demonstrating compliance presumes evidence, and producing that evidence is what an audit does. The audit is the mechanism that turns accountability from a statement into something a controller can show a regulator.
The record of processing activities
Article 30 requires most controllers and processors to maintain a record of processing activities, the ROPA. It documents the purposes of processing, the categories of data subjects and personal data, the recipients, any transfers, the retention periods, and the security measures. The ROPA is the backbone of an audit: it is the map of what the organization actually does with personal data, and an audit tests the rest of the program against it. An incomplete or stale ROPA undermines every downstream control.
The DPO's monitoring role
Where a Data Protection Officer is appointed, Article 39 makes monitoring compliance with the GDPR one of the DPO's tasks, including assigning responsibilities, raising awareness, training staff, and auditing. The DPO does not own the processing, which preserves independence, but monitors and advises on it. In organizations with a DPO, the DPO is typically the function that drives the internal audit and reports its findings to senior management.
What the audit covers
| Area | What the audit tests |
|---|---|
| Lawful basis and records | That each processing activity in the ROPA has a documented lawful basis and that the ROPA is complete and current. |
| Data-subject rights | That requests for access, erasure, and the other rights are handled within the time limits. |
| Security and breach | That the technical and organizational measures are in place and that the breach process meets the 72-hour notification rule. |
| Transfers and processors | That international transfers rely on a valid mechanism and that processor contracts meet Article 28. |
How to conduct one
Step 1: Start from the ROPA
Use the Article 30 record as the inventory of processing the audit tests against, and confirm it is complete first.
Step 2: Test each activity against its lawful basis and the principles
Check that each processing activity has a documented lawful basis and meets the data-protection principles.
Step 3: Test the rights, security, and transfer controls
Sample data-subject requests, review the security measures and breach process, and check transfer mechanisms and processor contracts.
Step 4: Document findings and report to management
Record gaps with severity and report them, the DPO's findings going to senior management.
Step 5: Remediate and re-test
Turn findings into a remediation plan and re-test, keeping the ROPA updated as processing changes.
Where it goes wrong
- No current ROPA. The audit has no reliable inventory to test against, so it cannot be complete.
- Accountability asserted, not evidenced. Policies exist but there is no record showing the principles are met in practice.
- The DPO owns the processing. The DPO is given operational control of the activities they are meant to monitor, which compromises the independence Article 39 assumes.
A data protection audit is how a controller meets the accountability principle in practice. For the wider regulation, see the GDPR compliance guide and the GDPR glossary; for the assessment that precedes high-risk processing, see the GDPR DPIA guide.
Primary sources
- GDPR Articles 5(2), 24, 30, and 39: The accountability principle, the controller's responsibility, the record of processing activities, and the DPO's task of monitoring compliance, which together ground a data protection audit.
- GDPR Article 30: The record of processing activities (ROPA) that documents what personal data an organization processes and is a primary audit artifact.
- Regulation (EU) 2016/679 (GDPR): The General Data Protection Regulation: principles, lawful bases, data-subject rights, controller and processor obligations, transfers, and penalties.