GDPR Audit Program Bundle 

Bookstore Purchase the Download:  Member US $49 | Non-Member US $79

  Provide feedback on this document


As of 25 May 2018, all enterprises that conduct business and hold personal data on just one person located in the European Union will fall under the mandates of a new EU requirement—the General Data Protection Regulation (GDPR). All EU businesses are subject to GDPR, but its effect goes even further. Given the global scope of today’s digital-based commerce, the impact of GDPR certainly will be felt by many businesses across the world and located outside the physical borders of the EU.

The GDPR audit program bundle offers a holistic framework for reviewing all data-processing practices in the context of GDPR. However broadly conceived, the GDPR audit necessarily involves tasks that are more narrowly (or traditionally) technical, in the sense that they focus on the set of IT controls customarily reviewed and assessed by IT auditors. To address both general and particular audit perspectives, this bundle includes two components, each tailored for a specific audit focus:

  • A comprehensive audit program (GDPR Audit Program—Enterprise)
  • A narrow audit program covering only technical portions of GDPR (GDPR Audit Program—Technical)

The technical program is designed for auditors tasked with determining the effectiveness of IT controls on data processing, while the comprehensive program covers the full range and depth of enterprise-level auditing for GDPR.

Audit Objectives

The objective of a GDPR audit is to provide management with an evaluation of how effectively GDPR is being governed, monitored and managed. The review will focus on GDPR governance and response mechanisms as well as supporting processes, which can help to manage the risks associated with non-compliance to GDPR.

  • Provide management with an assessment of their GDPR policies and procedures and their operating effectiveness
  • Identify control weaknesses that could result in increased usage of unsanctioned GDPR solutions and greater likelihood that the solutions are not detected
  • Evaluate the effectiveness of the organization’s response to, and ongoing management of, GDPR

Audit Scope

The audit/assurance program is built on the following two categories:

  • Implementation Controls are required to Implement GDPR
  • Maintenance Controls are required to maintain ongoing data protection and privacy (and therefore have been equally required historically)

The auditor conducting the audit will identify the scope of organizational functions, systems and assets to be reviewed.

The supporting workbook contains a suggested list of possible controls, control attributes and test procedures for auditing GDPR implementation and compliance and should not be used without design review and localization first.