IDW Auditing Guideline on Data Protection-Specific Audits (IDW PH 9.860.1)


  • Since the introduction of the European General Data Privacy Regulation (GDPR), companies have been subject to strict accountability requirements. Companies must prove that they comply with the data privacy principles of the GDPR.
  • By establishing and maintaining a functioning data protection management system (DSMS), companies can systematically plan, manage and control the legal and operational requirements of data privacy.
  • To enable companies to demonstrate the adequacy and effectiveness of the data privacy management system to supervisory authorities and their customers, the Institute of Public Auditors in Germany (Institut der Wirtschaftsprüfer, IDW) has issued IDW PH 9.860.1, a new auditing note for the audit of data privacy organisations.

Achieve DS-GVO compliance for your company through an effective DSMS

Companies are required to adapt their data privacy-related procedures and measures in order to fully comply with data privacy law requirements. In addition, companies are obliged to be able to demonstrate compliance with the data privacy principles mentioned in Art. 5 (1) DS-GVO (lawfulness, processing in good faith, transparency, purpose limitation, data minimisation, accuracy, storage limitation as well as integrity and confidentiality). The implementation of a data privacy management system is therefore essential to meet the legal requirements. Companies of all sizes and industries face significant sanctions if they violate the new data protection regulations.

Check the adequacy and effectiveness of your DSMS

There is therefore an increased need for an audit of these technical and organisational procedures and measures by an auditor. The IDW Audit Note “Audit of the principles, procedures and measures according to the EU General Data Privacy Regulation and the Federal Data Privacy Act (IDW PH 9.860.1)” specifies the application of the principles of IDW PS 860 with regard to data privacy-specific audits and is intended to support the profession in these audits. The aim is to achieve uniformity in the profession when carrying out audits. IDW PH 9.860.1 contains a catalogue of standard examples for suitable principles, procedures and measures for ensuring and auditing data protection compliance, in particular in the context of adequacy and functional audits. The subject of an audit according to IDW PH 9.860.1 are the criteria of the data privacy objectives derived from the company’s business model, the data privacy culture, its structural and procedural organisation, the framework including risk analyses, training and awareness measures as well as measures for monitoring and improving the system.

Benefits for your company

  • You receive an overview of the adequacy and effectiveness of your DSMS as well as the current implementation status of the data privacy requirements in your company.
  • Needs for action are identified at an early stage and can be addressed in a competent manner.
  • The audit report – with a certificate from the auditor if desired – provides you with valid proof of your company’s compliance with the GDPR. This not only protects you from the supervisory authorities, but also creates trust among your customers and stakeholders and can help you gain a competitive advantage.

We would be happy to discuss your current situation and goals and provide you with a customised audit offer. Please contact us!