The most important facts at a glance
- An internal data protection audit is not a legal requirement, but a key tool for demonstrating compliance with Article 5(2) of the GDPR (accountability) – and can protect against fines in a critical situation.
- Structured internal audits uncover vulnerabilities in processes, technical measures, and documentation before regulatory authorities or data breaches do.
- The combination of legal and technical review is crucial – companies at the intersection of IT and data protection particularly benefit from an integrated audit approach.
Why the Internal Data Protection Audit is More Than Just a Mandatory Program
The GDPR not only obliges companies to process personal data correctly, but also to be able to prove this at any time. This is precisely where internal data protection audits come in.
An internal data protection audit is a systematic, internal review of all data protection-relevant processes, systems, and documentation of a company. It serves to determine the current compliance status, identify risks, and derive concrete measures for improvement. In contrast to external audits by authorities or certification bodies, control lies with the company itself – which simultaneously implies flexibility and self-responsibility.
Especially for companies that process personal data on a large scale – for example, in the IT industry, finance, automotive, or healthcare sectors – a regular internal audit is an indispensable management tool. Supervisory authorities are particularly strict with data protection violations if a company shows no initiative to ensure compliance.
Legal Basics: What the GDPR Mandates
The internal data protection audit is not explicitly enshrined in the GDPR as such. However, it arises from a series of core provisions that oblige companies to actively self-monitor.
Article 5 GDPR – Accountability
The decisive basis for the audit obligation is accountability: those responsible must not only comply with data protection principles but also be able to prove their compliance. Anyone who cannot present documented control mechanisms in the event of a complaint or audit risks severe sanctions.
Art. 24 GDPR – Controller’s Responsibility
The controller must implement appropriate technical and organizational measures (TOMs) and regularly check if they are still effective. An internal audit is the classic instrument for this.
Art. 32 of the GDPR – Security of Processing
Technical and organizational security measures must be state of the art and regularly checked for their effectiveness.
Art. 35 GDPR – Data Protection Impact Assessment (DPIA)
For particularly high-risk processing operations, the GDPR mandates a data protection impact assessment. Internal audits help identify when a DPIA is required and whether an already conducted DPIA is still up-to-date.
§ 38 BDSG – Data Protection Officer
Companies that typically employ at least 20 people on a permanent basis to process personal data automatically are required to appoint a data protection officer. The data protection officer is responsible for monitoring compliance with the GDPR—which requires regular internal audits.
What an internal data protection audit entails
1. Record of Processing Activities
The starting point of every internal audit is the record of processing activities (ROPA) in accordance with Art. 30 GDPR. It documents which personal data is processed, for what purpose, on what legal basis, and with which recipients.
The audit examines: Is the VVT complete? Are all current processing activities recorded? Do the legal bases and actual practice align? Especially in growing companies or after IT projects, the documented VVT often deviates from the lived reality.
2. Review of Legal Basis
Every processing of personal data requires a legal basis – be it consent, contract fulfillment, legal obligation, legitimate interest, or one of the other grounds. The audit will examine whether the documented legal bases are indeed viable and whether consents meet the formal requirements of the GDPR.
Particular attention must be paid to the processing of special categories of personal data under Article 9 of the GDPR—such as health data, biometric data, or information regarding ethnic origin. Stricter requirements apply in these cases.
3. Technical and Organizational Measures (TOMs)
The TOMs are the backbone of operational data protection. The audit checks whether measures for entry control, access control, authorization control, disclosure control, input control, job control, availability control, and segregation are actually implemented and effective.
In practice, the following questions are often relevant: Do password policies reflect the current state of the art? Are user rights granted according to the principle of least privilege? Are access rights updated promptly when personnel changes occur?
4. Data Processing Agreements (DPA)
A Data Processing Agreement is required wherever personal data is shared with external service providers – cloud providers, IT service providers, marketing agencies, accounting software. The internal audit checks whether all relevant DPAs have been concluded, whether they are up-to-date, and whether the contractual provisions comply with the requirements of the GDPR.
5. Data Subject Rights and Data Protection Information
Articles 12-22 of the GDPR grant data subjects extensive rights: access, rectification, erasure, restriction, data portability, and objection. The audit will examine whether processes exist to answer these requests in a timely manner (usually within one month) and completely.
6. Incident Management and Reporting Obligations
Articles 33 and 34 of the GDPR oblige companies to report data breaches to the supervisory authority within 72 hours and to inform affected individuals. The audit will examine whether a functioning incident response procedure exists and whether employees are trained to recognize and report data breaches.
Practical Tips for Conducting an Internal Audit
Carefully assemble the audit team. An effective internal data protection audit requires the cooperation of various departments: IT, Legal/Compliance, HR, Marketing, and Management. Ideally, the Data Protection Officer coordinates the process.
Define clear scope. Not all areas need to be audited simultaneously. A risk-based approach is recommended: areas with particularly sensitive data or high processing volumes first.
Use standardized checklists. Structured questionnaires and checklists ensure completeness and comparability across different departments and audit cycles.
Document and prioritize results. Every finding should be documented with its risk level, need for action, and responsibility. An action plan with deadlines ensures commitment.
Ensure regularity. A single audit is not enough. A complete audit cycle at least once a year is recommended, supplemented by ad hoc audits for new IT projects, organizational changes, or after data breaches.
Involve employees. Data protection is not purely an IT or legal issue. Employee training is a separate audit point – and at the same time an important tool for anchoring compliance in the long term.
Do you have questions about the specific design of an internal data protection audit in your company? SITTIG LAW supports companies as an external data protection officer and with the legally compliant implementation of data protection compliance.
Checklist: Internal Data Protection Audit
Preparation
- Audit scope and schedule set
- Audit team and responsibilities defined
- Checklists and questionnaires prepared
- All relevant departments informed
Documentation
- Record of Processing Activities (ROPA) complete and up-to-date
- Legal bases for all processing operations documented
- Data protection statements up-to-date and GDPR-compliant
- Consents documented and verifiable
Technical and organizational measures
- TOM documentation current
- Access permissions checked
- Encryption and pseudonymization where necessary
- Data backup and recovery processes checked
- Logging measures implemented
Order processing and third-country transfers
- All processors identified
- Processor agreements are available and up-to-date for all processors.
- Third-country transfers identified and secured
- Transfer Impact Assessments (TIA) current
Data Subject Rights and Notification Obligations
- Processes for data subject requests established
- Incident Response Procedure Documented
- Reporting channels to the supervisory authority are known and practiced.
Follow-up
- Findings documented and prioritized
- Action plan created with deadlines and responsible parties
- Next audit appointment set
Data Privacy Audit as an Investment in Legal Certainty
An internal data protection audit is not a bureaucratic exercise, but a strategic tool. Companies that actively manage their data protection compliance are not only better protected against fines and reputational damage – they also create the trust that business partners and customers expect in today's digital economy.
The complexity of data protection law – at the intersection of GDPR, national law, IT security, and industry-specific requirements – makes it clear: occasional individual measures are not enough. What is needed is a structured, repeatable process integrated into the company's organization.
We support companies as an external data protection officer and in the legally compliant design of data protection compliance programs – from the initial assessment to the implementation of concrete measures. We are happy to assist you with any questions regarding internal data protection audits.
Frequently asked questions
An internal data protection audit as such is not explicitly required by the GDPR. However, the obligation arises indirectly from the accountability principle, the obligation to regularly review technical and organizational measures (TOMs), and the controller's general responsibility.
A comprehensive internal review should take place at least once a year. In addition, ad-hoc audits are recommended when introducing new IT systems, organizational changes, after data breaches, or when the legal situation changes.
Ideally, the internal or external data protection officer coordinates the process. The actual implementation requires the involvement of various departments – IT, Legal/Compliance, HR, and Management. External support is advisable if there is a lack of internal expertise or for an independent perspective.
Without systematic internal reviews, companies risk unaddressed compliance gaps that can lead to hefty fines and reputational damage during regulatory audits or data breaches.
Yes, monitoring GDPR compliance is one of the core tasks of the data protection officer. They should be involved in the planning, execution, and evaluation of the audit.
The results should be documented, prioritized by severity, and translated into a concrete action plan. Critical findings require immediate action; less urgent items will be incorporated into the regular compliance process. The documentation also serves as proof for the supervisory authority.
The effort varies greatly depending on the company's size, industry, and current compliance status. For a well-established SME, an annual routine audit can be completed in one to two working days. More time should be allocated for an initial comprehensive audit or after a long break.
Intern generated audit reports are generally not legally protected from disclosure to authorities. Companies should therefore carefully plan the creation of such reports and, if necessary, seek legal advice on how documentation should be formulated.
Common findings include: outdated or incomplete processing directories, missing or inadequate data processing agreements with service providers, insufficient cookie consent solutions, missing or outdated privacy policies, overly broad access rights, missing consent records for marketing, and insufficient employee training.
German 
English