Until May 2018, the date of application of the current General Data Protection Regulation, data protection audits were one of the obligations under the applicable regulations. More specifically, Royal Decree 994/1999 of 11 June approving the Regulations on Security Measures for Automated Files containing personal data (RD 994/99) provided for the need to carry out a data protection audit,at least every two years, in cases where companies process medium- and/or high-level data.
Why is GDPR audit important?
It is essential to note, first, Article 32 of the General Data Protection Regulation, which, through paragraph 1(d), considers that among the technical and organisational measures to be applied by controllers and processors aimed at ensuring a level of security appropriate to risk, they must include, inter alia,
a process of regular verification, assessment and evaluation of the effectiveness of technical and organisational measures to ensure the security of treatment.”
It is also appropriate to go to Article 39 of that regulation, which intentionally cites between the functions assigned to the Data Protection Officer (DPO), the one relating to the supervision of compliance with the provisions of the regulations, the other provisions in this area, the policies of the entity, as well as the corresponding audits.
GDPR Verification and Evaluation
As a logical consequence of the foregoing, it is reasonable to assume that there are no longer those specific assumptions in which it was previously mandatory to carry out a data protection audit. On the other hand, it is difficult to think that it is possible to carry out “verification and assessment” in asatisfactory manner,which is provided for in the Regulation, if not by carrying out a GDPR audit.
In addition, it should be noted that the principle of proactive responsibility is the central axis of the GDPR and requires for its compliance a conscious, diligent and continuous attitude on the part of the entities. This attitude is not only based on reacting when something happens, but always requires that we always go ahead, so, preventively, security measures and controls aimed at ensuring the privacy of personal data must be put in place. A weighty reason to implement audits between our processes.
Regular audit implementation is essential for obtaining multiple advantages in our system.
It is clear, first of all, that audits will bring to light existing data protection deficiencies, and will in turn constitute opportunities for improvement that will bring companies closer to a higher level of compliance and raise awareness of the importance of the subject matter. They will also help circumvent sanctions, as they will strengthen controls to prevent unauthorized loss, alteration or access to personal data. Maximum where such audits are the clearest example of the realization of the principle of proactive responsibility; mitigating and exempt from sanctions.