Data protection audits

Some companies choose to perform regular in-house audits of their PII handling practices, including collection, storage, usage, sharing, and deletion. These data protection audits may be part of more general security audits (also referred to as “security reviews”) or performed separately.

Such audits can be conducted yearly, with the goal of determining whether the technical implementation of data protection measures in an application fully aligns with the security and data protection policies the company commits to. They can also serve as a stage of data discovery, helping to catch up with changes to data flows that may have emerged since the initial cataloging of data repositories or the previous audit.

In the EU, the General Data Protection Regulation (GDPR) defines the role of the Data Protection Officer (DPO). The DPO’s responsibilities include monitoring compliance with the GDPR and, more specifically, performing data protection audits.

Data protection audits complement the data protection aspects of continuous code reviews, with the additional advantage of covering the entire code base and application infrastructure, including long-standing components that do not change frequently and may not be subject to routine code reviews.

Audits can leverage automated scanning tools. If scanning is used in the CI/CD workflow and/or as a gate in the code review process, an audit provides an opportunity to review the configuration of scanners.

Data protection audit frameworks

If your company is considering performing a data protection audit, you may want to use a pre-established audit framework instead of developing your own. Consider the following frameworks to guide your audit efforts:

• Data Protection Audit Framework. In October 2024, the UK’s Information Commissioner’s Office (ICO) launched this new audit framework to help companies assess their compliance with data protection laws, including the UK’s version of the GDPR and the Data Protection Act 2018. The framework consists of nine toolkits that help evaluate your company’s practices in data management, cybersecurity, training and awareness, data sharing, data breach management, and even AI model training. Each toolkit includes a downloadable data protection audit tracker to help companies address any deficiencies revealed during the audit.
• NIST Special Publication 800-53. Security and Privacy Controls for Information Systems and Organizations. If you’re looking to perform a broader cybersecurity audit that includes data protection, consider following this framework and the related NIST Special Publication 800-53A. Assessing Security and Privacy Controls in Information Systems and Organizations. These complementary documents define a comprehensive set of security and privacy controls to mitigate threats and privacy risks associated with processing PII. They also offer a structured approach to assessing these controls.