Auditing the GDPR

Auditing the GDPR
Author: Ian Cooke, CISA, CRISC, CGEIT, CDPSE, COBIT 5 Assessor and Implementer, CFE, CIPM, CIPP/E, CIPT, FIP, CPTE, DipFM, ITIL Foundation, Six Sigma Green Belt
Date Published: 22 January 2019

Like in many professions, the new year is traditionally a time for planning for IT auditors. This year, I am willing to wager that many of your resulting IT audit plans include something to do with the EU General Data Protection Regulation (GDPR).

A question naturally follows from this: How do you go about performing the audit? A Google search for the term “GDPR audit” produces about 34,800,000 results (as of 15 January 2019). So how do you separate the wheat from the chaff?

This very topic was recently discussed on ISACA’s Engage Audit and Assurance Online Forum. Excellent suggestions were made, including using the International Association of Privacy Professionals (IAPP) Certified Information Privacy Manager (CIPM) Body of Knowledge and the self-assessment tools defined by the United Kingdom’s Information Commissioner’s Office.

My own suggestion was to use annex 1 of the ISACA guide Implementing the General Data Protection Regulation. This defines 9 core GDPR processes in a COBIT-like process model to form a Data Protection Management System (DPMS) that could be reviewed from an assurance perspective. This idea went on to inspire my recent IS Audit Basics ISACA Journal column, “Assurance Considerations for Ongoing GDPR Conformance.”

Imagine my surprise when I learned that ISACA was developing a GDPR audit program using the same concept. I know “fools seldom differ,” but in this instance, I like to think that “great minds think alike”!

If there really are 34,800,000 ways to audit GDPR, may I strongly suggest that you consult each of these ISACA documents before you start.

Read Ian Cooke’s recent Journal column:
IS Audit Basics: Assurance Considerations for Ongoing GDPR Conformance,” ISACA Journal, volume 1, 2019.