Internal Audit, DPO and the adjustment of Three-Lines-of-Defense-Modell

Internal audit usually follows the Three-Lines-of-Defense-Modell (T-LoD).1 Within this modell the 1LoD is the business line – like sales and marketing. The 2LoD is checking whether the 1LoD adheres to internal policies, external law and adequatly manages the risk. Risk management and compliance function are part of the 2LoD. The 3LoD is internal audit which has the oversight over both the 1LoD and at the same time the 2LoD. But the T-LoD-modell fails when the DPO is defined as 2LoD. That derives from the independent position of DPO.

1. Internal Audit and DPO

Nearly two years after GDPR beeing effective internal audit is focussing on data protection. Nevertheless, internal audit has usually no expert knowledge in data protection and often no experience in auditing the new role of the DPO. This situation bears the risk of conflicts between internal audit and the DPO.

This article outlines the key principles of GDPR which are most relevant for internal audit:

  • the seperation of the tasks between the controller and the DPO,

  • the independent role of the DPO,

  • the consequences of the Accountability-priciple for internal audit.

2. Seperation of tasks between controller and DPO

The GDPR draws a strict line between the tasks of the controller and the DPO. Whereas the DPO shall advice the controller it is the responsibitlity of the controller to implement GDPR. Therefore, internal audit shall not address any implementation measures to the DPO:

  • The controller – and not the DPO – is responsible to establish the records of processing activities.

  • The controller – and not the DPO – is responsible to carry out the DPIA (data processing impact assessment).

  • The controller – and not the DPO – shall notify the DPA about any data breach within 72 hours.

  • The controller – and not the DPO – shall confirm any request of a data subject whether personal data concerning him is beeing processed.

Insofar internal audit addresses any task to the DPO which lies in the competence of the controller internal audit drives the DPO into a conflict with GDPR. In such a case internal audit forces the DPO to exeed his competence and to break the law.

In addition, internal audit drives the DPO into a conflict of interest. When the DPO is forced to implement any measures he will not be able to similarly monitor the compliance of these measures with GDPR. This would be in conflict with Art. 38 (6) GDPR.

3. Independent role of DPO and T-LoD

Even if internal audit adheres to the role of the DPO it is essential that in addition, internal audit similarly respects the independence of the DPO in fulfilling his tasks. Art. 38 (3) GDPR states:

“The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks.“

It follows, that internal audit – which is seen as part of the controller – cannot give any instruction to the DPO. Therefore, internal audit cannot check the way the DPO fulfills his task. In addition, internal audit is prevented to provide any advice on how the DPO fulfills his tasks. Eventually, internal audit has no right to address any task to the DPO to be fulfilled within a certain timeframe. It is the DPO who decides on his priorities according to the risk based approach.

E.g. internal audit cannot address any instructions to the DPO according to his approach to monitor compliance of the controller with GDPR. Such an request would be in conflict with the independent position of the DPO. These aspects are providing evidence for the conclusion that the DPO is no 2LoD within the 3LoD-modell. The independent position pushes the DPO out of this modell.

4. Internal Audit and Accountability-principle

The Accountability-principle applies for the controller2 and requires the contoller to provide evidence by a sound documentation of its compliance with GDPR.3 Since internal audit is part of the controller the Accountability-principle similarly applies for internal audit. E.g. when internal audit checks whether the records of processing activities of the 1LoD are in line with GDPR internal audit has to provide arguments deriving from GDPR that any of its criteria for the audit are in line with GDPR. That shows that internal audit in its activities in data protection is itself bound by GDPR. Internal audit is not free to set criteria for measures to adressed to 1LoD. Any action required by internal audit has to be in line with GDPR and shall be documented accordingly.

5. Assessment

GDPR does not solely implement the new role of DPO within companies and institiutions. The independent position of the DPO has influence on other functions within these organisations like internal audit. Similarly the independence pushes the DPO out of the T-LoD-modell. Finanlly, GDPR provides a new framework for internal audit in terms of data protection and forces that function to provide evidence for its compliance. Therefore, all companies and institutions have to adjust their T-LoD-modell accordingly. Otherwise these organisations will manoever itselves into a severe conflict with GDPR.

1 The institute of Internal Auditors, THE THREE LINES OF DEFENSE IN EFFECTIVE RISK MANAGEMENT AND CONTROL https://www.theiia.org/3-lines-defense

2 Art. 5 (2) GDPR

3 Art. 24 (1) GDPR