audit-risk-assessment
Privacy Audit Risk Assessment
Overview
Privacy audit risk assessment is the systematic process of identifying, evaluating, and prioritising privacy risks to determine audit scope, frequency, and resource allocation. A risk-based approach ensures that audit effort is directed at areas of greatest exposure, aligning with the accountability principle under GDPR Article 5(2) and the proportionality requirements of ISO 19011:2018.
The International Internal Audit Standards (IIA Standard 2010) require the chief audit executive to establish a risk-based plan to determine the priorities of the internal audit activity. In the privacy domain, this means evaluating processing activities, data categories, transfer mechanisms, and regulatory exposure to identify where compliance failures would cause the greatest harm.
Risk Universe
The privacy audit risk universe encompasses all auditable entities within the organisation's privacy programme:
| Risk Domain | Auditable Entities | Example Risks |
|---|---|---|
| Data Subject Rights | DSAR processing, consent management, automated decisions | Late DSAR responses, invalid consent, no human review for automated decisions |
| Data Processing | Processing registers, lawful basis documentation, purpose limitation | Undocumented processing, incorrect lawful basis, purpose creep |
| Data Transfers | International transfers, SCCs, BCRs, adequacy reliance | Transfer without safeguards, outdated SCCs, Schrems II non-compliance |
| Data Security | Technical controls, access management, encryption | Unauthorised access, unencrypted personal data, excessive permissions |
| Breach Management | Detection, notification, documentation, remediation | Late notification (>72 hours), inadequate forensics, poor remediation |