Since the new General Data Protection Regulation came into force on May 12, 2018, companies are obliged to take different measures to guarantee the security and confidentiality of the data they handle from third parties, since otherwise they could suffer significant economic penalties, of up to 20 million euros. Is the data protection audit one of these measures?

What is a data protection audit and what is it for?

A data protection audit has the objective of verifying that all those measures necessary to guarantee the security of the data in a company have been implemented in thecorrect way.

The audit is accompanied by a report in which all the points analyzed, theerrors or failures found, as well as the necessary measures to be applied for the correction of possible errors are collected.

It plays a fundamental role in the supervision and control of stored personal information, so it must be given the importance it deserves.

You are interested in:

The keys to the New General Data Protection Regulation.

Data protection audit: is your company obliged to do it?

A data protection audit is always recommended to certify that the strategy carried out is correct, but is it mandatory or not? The answer is depends.

With Royal Decree 994/1999, of 11 June, companies were obliged to carry out a data security audit once every two years, either internally or externally.

With the previous regulation data protection audits were an obligation for all companies, with the entry into force of the new GDPR companies are no longer obliged to perform them.

According to the provisions of the GDPR your company is obliged to appoint a Data Protection Officer (DPD), whose main objective will be to monitor compliance with the regulations, reviewing the internal policies and the corresponding audits, the conducting internal data protection audits, review and evaluation; always depending on the needs of each company.

In that case, the audit should not be carried out by the DPO of the company itself,since the function of the data security audit is, among other things, to ensure that the data protection officer is performing his functions correctly. It could only be limited to supervising the audit process and ensuring the implementation of the actions promoted.

What is a data protection audit?

A data protection audit must comply with a series of requirements that certify the security of any data or information of a personal nature:

  • The audit should analyze both automated and manual files.
  • The companies obliged to carry it out must do so once every two years.
  • If modifications are made to the information system that may affect compliance with security measures, an extraordinary audit must be carried out.
  • It must detail all possible deficiencies detected, and the measures to remedy them.
  • The DPP or person responsible for the personal data will be responsible for ensuring that the corrections indicated in the report are applied.

You are interested in:

Which companies are required to audit their accounts?

It will be the company itself that will be able to decide the way in which it wants to carry out the audits,provided that it is carried out in an objective and impartial way, to verify that the necessary security measures for data protection are complied with.

The data protection audit must be carried out through a systematic process,through a series of procedures and action protocols, which allow to obtain the necessary data to prepare the final report.

External audit

If you opt for an external audit, it will have to be performed by a professional who has no link with the company to be audited,using techniques and procedures for the review of the methods used to ensure the security of confidential data handled by companies.

Internal audit

The internal audit must be carried out by a professional specialized in the new General Data Protection Regulation, and there are sufficient computer and legal controls to review whether the security control procedures established by the company are adequate and comply with the law.


Companies that handle personal data are not obliged to carry out a data protection audit, but they can carry it out voluntarily to avoid possible sanctions, and thus guarantee the effectiveness of the measures implemented in their businesses.