Skip navigation Spacer Spacer Spacer
Data Protection Logo Spacer Guide to Data Protection Auditing

Data Protection Homepage  Bullet  
Audit Guide Homepage  Bullet  
Download print version  Bullet  

What is a Data Protection Audit? Why Audit? Beginner's guide Step-by-step Process Forms and Checklists Site Map

SpacerPlanning | Preparation: Conducting the Adequacy Audit | Preparation: Compliance Audit | Conducting the Compliance Audit | Audit Execution | Reporting | Audit follow-up

Spacer Spacer

< Previous | Next >


Compliance Audit Report (print ref: Part 3, Section 4.3)

A Compliance Audit Report is produced after every Compliance Audit whether or not any Non-compliances have been discovered. The purposes of this Report are to:

  • Record the key reference data relating to the Data Protection Audit such as date, scope, areas assessed, name of audit team etc.
  • Summarise the main findings of the audit and refer to any non-compliances identified
  • Document suggestions for any corrective action whether agreed or not
  • Record the nature and timescale of any agreed follow-up visits.

A pro-forma may be used for this report and a suggested two-page layout is given in Annex C.8, the key features of which are described in the following sections. There are many benefits to finalising and delivering the compliance audit report in the field at the end of the audit. However this will depend upon the nature of the information received during the audit and the complexity of the compliance issued raised.


The top section of the first page of the Report is used to record the following information about the audit:

  • Audit reference
  • Name of the organisation
  • Name of the department (function or area as appropriate)
  • Date of the audit

Audit Summary

The main section of the first page is used to summarise the results of the audit. The summary should be factual and fair and must reflect that it is ultimately only a "snapshot" of the situation taken at a particular time and place. However, it may be helpful to the organisation to state in what way the situation has changed since the last audit, i.e. is it improving, getting worse or static.

It is also very important to ensure that the summary is as evaluative as possible and not merely descriptive. After all, the organisation does not need to read a lengthy description of its Data Protection Policies and Procedures - it knows this information already. What it doesn't know is how good and effective they are, and this is what the summary needs to evaluate.

Auditors will find it quicker and easier to write these summaries in the form of a template consisting of a number of standard paragraphs. It is suggested that each paragraph could be structured to record the following information:

  1. First Paragraph

    This paragraph should cover the scope of the audit and include:

    • The names of areas, functions or departments visited, and the processes audited.
    • If an adequacy audit has been undertaken the results of this should also be stated
    • Total number of Major and Minor Non-compliances raised and number of Observations recorded.
  2. Second Paragraph

    This paragraph should document the results of the Functional Audit, and include:

    • Brief description and evaluation of the Data Protection System in terms of organisation, management and documentation at the corporate level.
    • Brief description and evaluation of how the Data Protection System operates at departmental level and how it interfaces with the corporate system.
    • Comment on how the Data Protection Principles have been dealt with and evaluate any special features or problems.
  3. Third Paragraph

    This paragraph should document any special aspects of the Functional Audit, and include where applicable:

    • Evaluation of the use of Data Processors.
    • Evaluation of the Notification systems.
    • Evaluation of Transitional Arrangements.
  4. Fourth Paragraph

    This paragraph should document the results of any Process Audits, and include:

    • Brief description and evaluation of each process audited.
    • Number of items, documents, records etc. inspected.
  5. Fifth Paragraph

    This paragraph should document the results of the One-to-One Interviews and/or Focus Groups and include:

    • Total number of One-to-One Interviews and/or Focus Groups held.
    • Evaluation of staff commitment to personal privacy and awareness of data protection issues.
    • Evaluation of quantity and effectiveness of staff data protection training.
  6. Final Paragraph

    The last paragraph should give the Auditor's overall evaluation of the effectiveness of the organisation's Data Protection System. Comment can also be made about the organisation's general ethos concerning information confidentiality and data security. Finally, the Auditor could note how the situation has changed since the last audit.

Summary of Corrective Actions

The top half of the second page of the Audit Report is used to summarise all the Non-compliances raised during the audit and records the following information for each:

  • The Non-compliance reference number
  • Who is responsible for carrying out the corrective action
  • The agreed corrective action to be taken
  • The date when the corrective action will be completed

Agreed Audit Follow-up

The bottom half of the second page of the Audit Report records the agreed follow-up action in terms of its scope and timescales as described in Section 4.4.4.

Return to top

Toolbox top border

Compliance Audit Reporting

Toolbox bottom border

< Previous | Next >
