GDPR audit – why is it unique and is it a legal audit at all?

data processing legal audit - Ukraine

GDPR audit – why is it unique and is it a legal audit at all?

What is personal data processing legal audit? Why should we conduct GDPR audit? What are its goals and features? How to organize the personal data processing according to best practices? Are there any recommendations? What is the future of data processing regulation? What changes in the legislation of Ukraine should bring it in line with European regulations? These are just some of the issues covered in this article.

The author of the article has extensive experience in various fields of law – from criminal law and procedure to intellectual property law. However, starting from 2018, legal relations in the field of personal data processing and protection was chosen as the main vector of professional development. Deep understanding of the essence of personal data processing and various experience, including working as a public prosecutor, allowed, among the first in Ukraine, to start the practice of personal data processing legal audits for compliance with the GDPR requirements.

The author, Yevgeniy Movchun is a lawyer, a legal auditor and a GDPR compliance expert. He also currently holds the position of the chairman of the NGO Legal Support. One of his priorities and the NGO Legal Support aims is to promote the maximum implementation of EU regulatory rules on personal data protection in Ukrainian legislation. The efforts of the NGO Legal Support are also aimed at establishing contacts and cooperation with specialists from other countries, including within the framework of the International Association of Legal Auditors.

Legal practice, which is closely related to the implementation of organizational and legal measures aimed at compliance with the GDPR, and activities due to the role of the head of the public association form the following tasks: development, adaptation and implementation of organizational and legal measures to help businesses bring their activities in line with the rules of personal data processing; creating initiatives and holding public events to spread awareness of the legal requirements in the field of personal data protection; conducting seminars and lectures, sharing experience; establishing contacts with non-governmental organizations to implement the principles of GDPR in data processing practices; involvement of students and trainees of law universities in the activities of NGO Legal Support in order to deepen their knowledge and improve their skills.

Personal data processing legal audit in Ukraine - GDPR legal auditor Yevgeniy Movchun.
The author, Yevgeniy Movchun is a lawyer and a GDPR compliance expert.

Privacy and Personal data processing.

What is privacy? The modern digital world has given this word a meaning as deep as ever. What is the priority of personal data security and privacy? Are these issues important for business? Is it worth averting the potential harm to customers’ interests and their privacy at an additional cost? In the process of developing and promoting commercial products, the issue of security and confidentiality of customer data and employees is not always among the priorities. Such an approach often leads to both reputational and material losses.

This article discusses the audit of personal data processing as a tool to identify and prevent risk situations and negative consequences that can be a problem for both businesses and individuals whose data are processed. It is not easy for organizations, businesses and institutions that do not fall under the EU regulatory rules to understand the essence of this audit and its purpose. In order to shed light on the role and significance of the GDPR audit, we will consider it as a very specific manifestation of legal audit, which arose due to European regulatory rules, but now extends far beyond the EU.

Among the key issues addressed in this article:

  • Is a GDPR audit a legal audit at all? And if so, what are its features?
  • What are the tasks of the personal data processing audit? What exactly is checked during the audit? What are the benefits of a GDPR audit other than ensuring compliance with existing regulatory rules?
  • What does the «complexity» of the personal data processing audit mean? Why is this type of legal audit inseparable from the measures taken as a result of it and aimed at protecting personal data?
  • Balance of interests of business and personal data subjects – how to find a compromise?

In addition to answers on indicated questions, the reader will find recommendations that will help to properly build business processes in accordance with current rules. And that is not all. Surely we all want to know what “privacy limits” we can expect in the near future? Who and how will guard these borders? So let’s try to look into the future, based on data processing volumes and current trends.

What is the uniqueness of the personal data processing audit and its tasks?

The author has a difficult task – to acquaint the reader with characteristics of the data processing legal audit, without abusing specific terms and difficult to understand constructions. After all, the audience of our readers is not only lawyers and specialists in the field of audit, it is also entrepreneurs and business representatives. Therefore, in order to achieve the set goal and form a holistic view of the personal data processing audit together with the specifics of the auditor’s work, the information will be provided in the most accessible and understandable form.

An important caveat – compliance with regulatory rules in the field of personal data protection is the responsibility of all enterprises, institutions, organizations, including non-profit, and even individuals who process personal data. Yes, it is a duty that is not just for business. However, this article deals primarily with the audit of personal data processing in the context related to commercial activities. Still, the following statements and recommendations have the same application in the organization of personal data processing in non-profit activities.

In order to add transparency and clarity to this article, before considering the questions, let’s define a common understanding of the following terms:

  • GDPR (General Data Protection Regulation) – a set of rules that establishes the rights of personal data subjects, the corresponding responsibilities of the persons processing personal data and defines the purposes of such processing, as well as the requirements to be met when processing personal data. The GDPR provides mechanisms that determine the extraterritorial nature of its action.
  • Personal data (PD) – any information relating to an identified or identifiable natural person. That is a definition provided by Article 4 of the GDPR.
  • Controller – the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Processor – a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
  • Personal data subject (data subject) – a natural person who can be identified, directly or indirectly by means of personal data. Simply put, it is an individual whose personal data is processed.
  • Personal data processing legal audit or GDPR audit – legal and organizational audit of PD processing processes for compliance with the requirements of the GDPR and the rules of national law of the business entity that acts as a controller and/or processor. This article does not cover the audit of «technical» (software and hardware measures) aimed at protecting and properly preserving the PD. At the same time, in practice, verification and proper implementation of such measures is no less important than the organizational and legal component of the data processing audit.
  • Auditor or GDPR auditor – a specialist who analyzes the processes of personal data processing, establishes the shortcomings of the organizational and legal part of work with personal data and non-compliance with the requirements of the GDPR. The results of GDPR audit provides comprehensive information with relevant comments and recommendations.

Let’s return to our questions. So, is the audit of personal data processing unique compared to other types of legal audit? What makes it special? According to the author’s opinion, there are at least three features that determine the special nature of the GDPR audit and distinguish it from other legal audits. It is true that the audit of personal data processing is not a 100% legal audit, it requires a broader approach and comparison of data processing not only with the requirements of current regulatory rules. The processing of personal data must be consistent with the principles of rationality and reasonableness, the priority of the interests of the data subjects, the conformity of methods, forms and scope of data processing to the ultimate goal of such processing. All this is subject to the audit. So what determine the unique nature of the GDPR audit? Right now we will consider 3 key features.

Feature I – the continuity of the data processing legal audit and its dynamism.

The uniqueness of the personal data processing legal audit is its continuity (permanent duration) and dynamic nature. The audit of personal data processing begins long before the start of business activities related to PD processing and continues until there are any manifestations of PD processing, and sometimes even after.

Why so? There are many reasons for the dynamic nature of the audit including dynamics of processes, changes of the purposes of data processing, conditions, forms, ways and means, and also necessity in constant correlation due to data subjects’ inquiries. Further, changes like new rules in the field of personal data protection and development of new practices in this sphere also necessitate the dynamic nature of the personal data processing audit.

Although we do not consider technical measures in this article, which, along with legal and organizational measures, are extremely important for the proper protection of PD, it should be noted that the rapid development of hardware and software for data compromise and, conversely, for data protection sets the dynamic and ongoing nature of the audit. Constant coordination of efforts with a specialist who implements software and hardware security measures is one of the tasks of the GDPR auditor.

In order to achieve the proper result, identify all possible shortcomings and provide recommendations for their correction, both “technical measures” specialist and “organizational and legal measures” specialist should act in a coordinated manner. The purpose of the specialist who implements “technical security measures” is to ensure the protection of data processing supported by adequate and up to date software and hardware protection measures. The purpose of the “organizational and legal measures” specialist in the implementation of organizational and legal measures aimed at personal data protection. In both cases, the criterion of “relevance” is important, which, among other reasons, explains the dynamic ongoing nature of the data processing legal audit.

The auditor works even when all the processes are set up and worked out. In what form does such “ongoing” work take place? In the form of control and stress audits. Their purpose is to verify the reliability and completeness of the measures taken, their compliance with factors that tend to change (for example, changes in subcontractors, methods and forms of processing, current algorithms for anonymization of personal data, etc.). The ultimate goal of control measures is always the same – to protect the interests of business and the rights of personal data subjects (customers, consumers). Thus, the first feature characteristic of the personal data processing audit is “duration and dynamism“.

Feature II – personal data processing legal audit is a complex audit.

Of course, audit duration alone does not make an audit unique. And what about the complexity of the approach and methods of auditing? This feature is also not unique, but certainly characterizes both the audit of personal data processing and the work of the auditor. The task of the GDPR auditor is to identify two types of data processing deficiencies: a) “legal deficiencies” that indicate non-compliance with applicable regulatory rules; b) “organizational deficiencies” that do not directly violate the current rules in the field of personal data protection, but have a negative impact on the security status or cause a negative impact on the efficiency and rationality of data processing.

This “dual nature” of audit actions – is one of the signs of the personal data processing audit comprehensive nature. Another feature, due to the ultimate goal of involving a GDPR auditor, takes this type of audit and its ultimate tasks beyond the classic audit. After all, the practical side of the work of auditors in the field of personal data protection does not end with the identified shortcomings. Finding solutions and developing mandatory and recommended measures is an integral part of our work.

A full, high-quality and comprehensive audit of personal data processing is always a complex strategic task, which includes a number of operational tasks on a smaller scale, which are not always related to jurisprudence. Many of the auditor’s recommendations are in the nature of “management” recommendations, which are related not so much to the documentation of relevant processes or legal measures, as to the adoption of organizational (managerial) decisions.

The managerial component of the work of the personal data processing auditor is well illustrated by the example of the previously mentioned interaction with specialists who implement “technical” security measures. Proper explanation of existing shortcomings and ways to eliminate them, coordination of efforts (with technical specialists, HR manager, representatives of contractors, etc.), development of a common coordinated position with clear solutions for the business owner – these are elements of work typical for a data protection manager rather than a classic auditor.

The specifics of the data processing audit, which is the work of a specialist with knowledge of various fields, imposes on the auditor mentioned managerial responsibilities. Without them, the work of the GDPR auditor will not be complete. It is not enough just to identify shortcomings, it is necessary to work out the best ways to eliminate them and provide recommendations based on the specifics of the business model, the available staff, contractors and resources.

Feature ІІІ – the subject of the GDPR audit, the sensitive and unique nature of personal data.

The main and unique personal data processing legal audit feature follows from the specifics of its subject – the process of data subject`s personal data processing. Although the audit is conducted in the interests of business (or other data processing activities), the rights and legitimate interests of personal data subjects are of paramount importance.

Personal data is both extremely sensitive information, often really personal, and at the same time “commercial goods” a subject of commercial interest. It is difficult to imagine any business processes without the need to process personal data. Sales of goods and services, advertising and targeted promotion of modern digital services, and even the implementation of non-profit charitable activities – all this is almost impossible without the processing of customer, user, beneficiary data.

It is clear that our personal data is of interest to business. At the same time, we must not forget that their processing is closely related to sensitive issues for each of us – issues of privacy and personal data protection, including information about financial status, our health, our preferences and many other sensitive data. Thus, the risky nature of the processing of personal data, the sensitivity of such data, as well as the increased responsibility placed on the controller and processor of personal data – these are the factors that together form the third special feature of the GDPR audit.

What exactly is checked during the data processing legal audit?

Before conducting an audit, the specialist should collect the initial data. In order to conduct a qualitative and comprehensive audit, it is necessary to obtain at least the following information: information about the persons who determine the purposes of personal data processing and carry out such processing; information on the categories of personal data subjects whose data are processed; information about the categories of personal data (e.g. surname, first name, contact information, location, etc.) that are processed; information on contractors and subcontractors who will be involved in data processing (even if these are only some non-systematic tasks); information on cases of extraterritorial transfer of personal data; information on the terms of storage of personal data and the procedure for their deletion; information on the procedure for consideration of personal data subjects’ requests; information on the methods (forms) of using PD and the ultimate purpose of data processing. This list is not exhaustive and in practice may differ.

After clarifying the initial information, the auditor can begin his work. The following issues should be identified, verified and checked during the personal data processing audit:

  • existence of legal basis for the personal data processing and legitimate aim;
  • consistency of data processing with the actual and declared purpose of their processing,
  • compliance with the principles of data processing minimization and rationality;
  • forms and methods of personal data processing, including the use of modern digital technologies, the risks associated with them;
  • validity and expediency of determined terms of data processing;
  • procedure for involving employees in the personal data processing activities;
  • nature of the relationship with contractors and subcontractors involved in the personal data processing activities, agreements concluded with such contractors (subcontractors) and their compliance with the GDPR requirements;
  • documents related to the personal data processing (data processing agreement, internal regulations on data processing, privacy policy etc.);
  • procedure for responding to data breaches and/or violations of regulatory rules in the field of personal data protection;
  • procedure for consideration of personal data subjects’ requests, its compliance with the GDPR requirements;
  • internal personal data processing organization within the company;
  • effectiveness of company management interaction with responsible specialists, including DPO (Data Protection Officer);
  • availability of sufficient knowledge and skills of the staff involved in data processing, effectiveness of the relevant trainings;
  • assessment of existing organizational measures effectiveness in the dynamics.

This list is also not exhaustive. Each specific situation is individual and, accordingly, can both narrow and expand the subject of the audit. As a result of the audit, an act or conclusion is drawn up, which reflects: a) the factual circumstances established during the audit; b) shortcomings and non-compliance with GDPR requirements; c) risks and possible negative consequences associated with the identified shortcomings; d) recommendations for eliminating the identified shortcomings.

Opposite views on the true nature of the personal data processing audit.

Some readers may have thought that the responsibilities of the GDPR auditor were redundant, as well as the possibility of limiting the audit only to compliance with the current personal data processing regulatory rules. This point of view is that the GDPR audit is no more than only a sort of legal audit.

The author of this article acknowledges the right to completely different views on the essence of the GDPR audit, but takes a different view. This point of view is formed in practice and is as follows – the personal data processing audit includes a legal audit as an integral part, but is broader in scope and, as already noted, involves auditing a number of organizational aspects of personal data processing. In addition, given the described features of the audit (second and third features) – the true value of the personal data processing audit is manifested under the condition of its complexity and further development and implementation of measures arising from the results of the audit.

So can a GDPR audit be considered a legal audit at all under such conditions? Yes, it is a legal audit. Despite the fact that the work of the GDPR auditor is not completed by drawing up a report with audit results, such an audit is still a form of legal audit but with quite unique related inalienable tasks. In other words – a legal audit is an element (core element) within GDPR audit procedures. The difference is that, unlike, for example, a financial auditor, a GDPR auditor usually does not stop at drafting an audit report, but continues to work to develop relevant recommendations.

In practice, the implementation of the recommendations given in the auditor’s report is often carried out by the same specialist. Does this affect the objectivity of the auditor’s findings? There are no sufficient grounds for an affirmative answer to the question. Moreover, the auditor has a deep understanding of analyzed processes, which contributes to the proper implementation of the necessary measures. At the same time, if possible and for the sake of objectivity, it is really better to involve another specialist to correct the identified shortcomings and implement the recommendations provided by the auditor. However, it should be a specialist with a similar amount of knowledge and skills in the field of verification and proper organization of personal data processing.

Personal data processing legal audit and Balance of interests issue.

The author of the article cannot fail to note the extraordinary, or rather, contradictory tasks of the GDPR auditor. Classical financial audit and most forms of legal audits provide an objective assessment, but often in the interests of the audit client. At least from the standpoint of practical benefits for the audit client. The personal data processing audit is a different story – the auditor is indirectly responsible for the proper and lawful processing of personal data. Of course, we are talking, first of all, about moral responsibility.

This nuance determines the maximum objectivity of the conclusions of the GDPR auditors. A true specialist should forget about any interests, including the interests of the client. Instead, the specialist should coordinate efforts on one thing – the legality, affiliation and rationality of the organization of personal data processing. Under such conditions, the balance of interests issue will disappear by itself.

A brief overview of the tasks the GDPR auditor faces in practice.

To better understand the essence of the personal data processing audit and issues that arise in the process, we will briefly consider a few examples from practice. The first one is audit of personal data processing during IEO (Initial Exchange Offering) – a story about how the audit helped to reconcile the requirements of the GDPR and KYC procedures.

Data processing legal audit, cryptocurrencies and IEOs.

IEO is a process remotely similar to classic IPOs, but implemented on a blockchain through an intermediary in the form of so-called cryptocurrency exchanges. Many jurisdictions do not recognize IEO, and some even prohibit this way (form) of raising funds (investment). But today we are not talking about the legal nuances of IEO. Let’s just say that this process is accompanied by numerous risk factors. This includes work with financial resources in the form of digital assets, insufficient legal regulation of such relationships, minimum guarantees for persons who acquire cryptographic tokens, and other risks. Not surprisingly, KYC procedures are mandatory in this situation.

KYC (Know Your Customer) is a process of verification (identification) of clients (investors, users, etc.) to identify and prevent potential risks. The identification process involves working with a wide range of personal data. Legislation in different jurisdictions and in the EU, on the one hand, requires counteracting money laundering and, on the other hand, requires minimizing the collection of personal data of individuals and providing substantial guarantees for their safe processing.

At the end we have a high-risk project with large scale personal data processing. And, ussualy, the teams of such projects do not have the necessary experience in organizing the proper personal data processing. Adding fuel to the fire is the need to share personal data (both receiving and transmitting) with “cryptocurrency exchanges”, most of which are registered in low-tax jurisdictions and try to avoid legal regulation.

Thus, on the one hand, the Controller and Processor is the company that initiates the IEO. On the other hand – in part of their own processes of personal data processing by the Controller and the Processor is a “cryptocurrency exchange” with its own rules, goals and objectives. With all this, between the first and second there is an active bidirectional data exchange.

What reference point should the auditor choose in the described situation? What procedure should be used in this example? The first is to always proceed from the rights and legitimate interests of the personal data subjects (this is the guideline). Second – it is necessary to gradually draw up a general scheme of all data processing processes with all the details, analyze the resulting scheme, identify deficiencies and any unnecessary (excessive) operations with personal data. This is exactly what was done. The audit client received both an audit report and a list of recommendations that not only eliminate the identified violations, but also optimize the tasks of the project, remove unnecessary irrational data operations and saved time.

Auditing personal data processing in social networks.

Auditing data processing in social networks is one of the most difficult tasks for an auditor. This is a task with an emphasis on verifying the completeness and transparency of informing users about the purposes of data processing, as well as with an emphasis on verifying the procedure for obtaining informed consent necessary to process users data.

Social networks, especially highly specialized, are unique in that their operation is directly determined by the purpose of disseminating their personal data among other users. Finding a compromise and balance of interests in this case is not easy, but possible. Indeed, social network users voluntarily agree to disclose their data to third parties. However, in the imagination of the majority of users it is a question of data disclosure only to other users.

In fact, the owners of social networks through their privacy policies are trying to obtain consent to disclose users personal data to other third parties, including advertisers. This is not prohibited, provided that users are properly and transparently informed about such actions. And this is where the problems arise.

The practice of conducting data processing audits shows that social networks users do not receive comprehensive information about the content, scope and nature of their personal data processing. And if users receive such information it is provided in the form unsuitable for easy perception and accessible understanding. Based on the results of the audits, we recommended that the textual information set out in the privacy policy should be supplemented with graphical explanations and/or explanations naturally integrated into the social network user interface.

The development of recommendations based on the results of the GDPR-audit is often associated with extraordinary and yet interesting tasks that bring uniqueness to the work of a specialist in the organization of personal data processing. The search for «weaknesses» and the facts of violation of the «balance of interests», construction of balanced solutions aimed at restoring a reasonable and fair balance – a set of tactical tasks, the implementation of which allows to achieve the main objective of the audit as quickly and fully as possible, to achieve a balance of interests of the Controller and the data subjects, to develop and implement a model of personal data processing, which will suit all relationship parties.

The results of the GDPR auditor’s work.

Audit results can be crucial for business. The auditor’s opinion may stop the startup or significantly change its essence. The recommendations of one auditor can keep the data of millions of people confidential. Yes, such a global impact is indirectly related to the work of the auditor, because the decision is always up to the business owner. However, the work of the auditor has direct consequences (results), including:

  • identification and assistance in eliminating the facts of non-compliance with the current regulatory rules in the field of data protection;
  • identification of organizational shortcomings and assistance in the optimal organization of personal data processing;
  • clarification of the essence of regulatory rules in the context of specific business processes related to the personal data processing;
  • assistance in saving resources by preventing penalties and possible reputational damage;
  • assistance in formation of clear and understandable tasks for specialists who implement «technical» (software and hardware) measures to ensure the security of data processing;
  • assistance in protection of data subjects’ rights and legitimate interests;
  • dissemination of positive practices on personal data processing and protection.

10 thesis tips and recommendations on personal data processing (for business):

  1. Process personal data only on legal basis and only for the legitimate aim.
  2. Follow the principle of minimalism – collect and process only the personal data that is really necessary to achieve the goals.
  3. Make sure that the data processing is carried out in compliance with organizational and technical security measures.
  4. Do not process data (do not store personal data) longer than the period necessary to achieve the goals. When deleting (destroying) personal data, respect the rights of data subjects.
  5. Always consider the requests of personal data subjects and do not create obstacles to the exercise of the data subjects’ rights.
  6. You should model and predict critical, non-standard and risky situations.
  7. Systematically assess the possible risks that may adversely affect the rights and legitimate interests of data subjects.
  8. Conduct trainings and practice how to respond to potential violations.
  9. Consider the process of personal data processing in the complex – from the beginning of personal data collection on legal basis to the moment of their transfer and/or deletion, including deletion at the request of the personal data subject. Develop and implement security measures based on a comprehensive vision of data processing.
  10. Try to put yourself in the place of the personal data subject and proceed from the interests of the person whose data are processed.

The future of personal data processing legal audit in context of digital relations and globalization of the regulatory rules.

It is not difficult to notice the accelerated dynamics of globalization and the deepening digitalization of all social relations. Such processes directly imply an increase in the scale of data processing of citizens of all countries and the emergence of new methods and forms of processing, including those associated with significant risk to personal data subjects’ rights. It suffices to mention the technology of “face recognition” and its rapid spread in various fields – from business to law enforcement.

So what is the future of the data processing audit that awaits us in the context of further development of digital technologies, growth in data processing scale and the emergence of new data processing forms? According to the author, along with the increase in the personal data processing and the emergence of new risky forms and methods of processing will see a deepening of legal regulation, its unification and globalization. These seem to be inevitably interconnected processes. The only question is whether the requirements for the personal data processing will be strengthened based on the interests of data subjects or, conversely, whether the use and processing of personal data will be liberalized?

It is possible to answer the question objectively only in view of the near future. And on the example of possible legal regulation in the field of personal data protection in the native jurisdiction of the author of this article, we can assume that the protection of the interests of personal data subjects (i.e. each of us) will be a priority, at least in the near future. Thus, a bill has been registered in Ukraine that is almost identical to the GDPR. The text of the new (draft) version of the Law of Ukraine “On personal data protection” provides the same mechanisms to protect the rights and interests of personal data subjects, the same rights, the same obligations and the same principles. There is a high probability that this bill will be adopted by the Parliament of Ukraine. And some of the practices and approaches required by the GDPR are already being applied voluntarily outside the EU, including in Ukraine. And this trend is encouraging.

Yevgeniy Movchun |

Публікація викладена мовою оригіналу. Матеріал підготовлено для включення у якості авторської статті до книги Міжнародної асоціації правових аудиторів (the International Association of Legal Auditors) про особливості, практики і досвід проведення правових аудитів у різних країнах світу. Україномовним відвідувачам радимо ознайомитись з наступними матеріалами, які розкривають окремі питання проведення аудиту процесів обробки персональних даних та організації роботи у відповідності до регуляторних правил ЄС:

  1. Коротка стаття з роз’ясненнями щодо варіантів проведення та стадій GDPR аудиту –
  2. Детальна стаття про роль і задачі Data Protection Officer та оформлення відносин з таким спеціалістом –
  3. Повний перелік рекомендованих і обов’язкових заходів, реалізація яких необхідна для повної відповідності регуляторним правилам ЄС –

Представлені за посиланнями статті є лише частиною широкої бази публікацій юристів Legal Support. Ще більше консультаційних матеріалів стосовно чинних вимог, принципів і правил GDPR, а також відповідних процедур і документів, доступні через Блог нашого сайту (Розділ Консультації). Знайти необхідну консультацію можна за допомогою вбудованої форми пошуку за ключовими словами.