What documents should be prepared before an audit?

ANSWER

These are primarily documents concerning personal data protection and security that are in force within the organisation, namely: the record of processing activities and the record of all categories of processing activities, guidelines on classifying breaches and the procedure for reporting personal data breaches to the supervisory authority, the procedure in the event of breaches that may give rise to a high risk to the rights and freedoms of individuals, the procedure for maintaining internal documentation constituting the personal data breach register, the general risk assessment report, the data protection impact assessment report, and any other existing data protection documentation within the organisation, if adopted.

In addition, the previous audit report should be prepared if one was conducted, along with data processing agreements concluded to date and the general template processing agreement used by the organisation, standard contract templates used with clients, suppliers, or contractors if they contain provisions on personal data processing, or templates of data protection provisions used in such contracts.

If the audit is being prepared by an external party, a description of the company's activities and an organisational chart of the individual units will also be helpful; this will facilitate the preparation of the audit schedule.