Audit is mentioned in three places in the GDPR:
- Article 28 paragraph 3.h GDPR, the (sub-)processor makes available to the controller all information necessary to demonstrate compliance with the obligations under Article 28 GDPR and audits, including inspections, by the controller or a person appointed by the controller authorized controller.
- Article 39 paragraph 1.b GDPR, the data protection officer monitors compliance with the GDPR and the policy of the controller or processor with regard to the protection of personal data, including the assignment of responsibilities, awareness raising and training of the the processing personnel involved and the relevant audits.
- Article 47 paragraph 2.j Arg, procedures must be available as part of binding corporate rules aimed at monitoring compliance with the binding corporate rules. Such procedures include data protection audits and methods to ensure corrective action to protect the rights of the data subject.
Accountability is evidence-based and facilitates compliance aimed at complying with the GDPR and the policy.
Auditability is risk-based and facilitates assurance aimed at establishing the accountability of the effective operation of data protection and privacy policies.
