Data Protection Act 2018

Data Protection Audit

136. (1) Where Part 5 applies to a controller or processor, the Commission may carry out or cause to be carried out such examination in the form of an audit as it considers appropriate in order to determine whether the practices and procedures of the controller or processor are in compliance with that Part and regulations made under it.

(2) The Commission may, for the purposes of an audit under subsection (1) or a data protection audit, require the controller or processor concerned to produce any documents, records, statements or other information within that person’s possession or control, or within that person’s procurement, that are relevant to or required for the conduct of the audit.

(3) Before commencing an audit under subsection (1), or a data protection audit, the Commission shall give the controller or processor concerned notice of its proposal to conduct such an audit, which notice shall—

(a) specify the matters to which the proposed audit will relate, and

(b) specify the date, which shall be not earlier than 7 days from the date on which the notice is given on which the audit will be commenced.

(4) In this section, “data protection audit” means a data protection audit conducted for the purpose of Article 58(1)(b) of the Data Protection Regulation.