Auditing GDPR for Small and Medium Enterprises

Enterprises of all sizes that handle European Union (EU) citizen’s data must comply with the EU General Data Protection Regulation (GDPR). Even small and medium enterprises should perform annual compliance audits to ensure GDPR-related compliance controls are operating effectively. The audit should assess the enterprise’s policies and procedures for managing and protecting personal data and include a review of the tools and technology used to input, process, transmit and store information regulated by the GDPR. To help aid small and medium enterprises test the proper controls and control attributes surrounding their GDPR implementation, ISACA has released the GDPR Audit Program for Small and Medium Enterprises. It includes guidance on how to:

• Provide management with an assessment of GDPR policies and procedures and their operating effectiveness
• Identify control weaknesses that could result in increased use of unsanctioned GDPR solutions (and higher likelihood that the solutions are not detected)
• Evaluate the effectiveness of the organization’s practices and ongoing management of GDPR

Conducting a formal assessment of the small and medium enterprise’s GDPR implementation and compliance allows auditors to provide management with an evaluation of how effectively GDPR is being governed, monitored and managed.

To download this audit program, visit the GDPR Audit Program for Small and Medium Enterprises page of the ISACA website.