Data protection analysis in 2024

Companies must regularly have their data protection level checked. This is not just about data protection documentation but also how personal data is handled in everyday business. Large customers often demand such an external data protection analysis from their suppliers.

ISO 27001 Regelwerke können komplex oder schlank gestaltet werden

The external data protection analysis is carried out by expert IT and data protection experts. This data protection review considers the following points:

  • Appointment of the DPO
  • Expertise of the DPO
  • Completeness of data protection documentation
  • Compliance of procedural directories
  • Rules for the GDPR
  • Instruction of the employees
  • Incident documentation
  • Documents relating to data subject inquiries
  • Privacy Policy
  • ADP documentation and supplier contracts
  • Employment contracts and NDA regulations

How is a data protection analysis carried out?

Data protection experts will first review the company’s data protection documentation for compliance. Specific areas of the company are then checked. In this way, the auditors check to what extent the company has complied with its data protection obligations. Depending on the size of the company and its complexity, such a data protection analysis takes 1-2 days. However, this is not comparable to a very complex data protection audit that leads to a “Verified Data Protection” certificate.

However, you should always carry out a data protection analysis first if the operational data protection level is not sophisticated enough. It only makes sense to carry out a data protection audit afterwards. It is often combined with an ISO 27001 audit.

What is the data protection report used for?

After a data protection analysis, the management receives a data protection report. The document shows the data protection level for individual areas using a traffic light system (red, yellow, green). This makes it easier for the responsible managers to understand the individual problem areas and set priorities.

Beratungsgespräche zur Vorbereitung des ISO27001 Audit

How to improve data protection after data protection analysis?

As soon as you have the list of data protection deficiencies or weaknesses, you should clearly compile the individual problem areas in a table. For each problem, a person responsible for solving the problem must be assigned. In the second column you should highlight the priority with a key number and color. The target date for the fix is entered in another column. The last column contains the status of the troubleshooting.

As soon as a problem area has been permanently resolved, the data protection officer (DPO) should check this and enter the latest status in the table. This allows you to see how many problem points are still unresolved. This table will be an important piece of evidence in a subsequent data protection audit and an ISO 27001 audit.