Supervisory Authority Inspection Preparation

Supervisory Authority Inspection Preparation

Overview

Supervisory authorities (Data Protection Authorities, or DPAs) exercise investigative powers under Art. 58(1) GDPR, including the power to order controllers and processors to provide any information required for the performance of their tasks (Art. 58(1)(a)), to carry out investigations in the form of data protection audits (Art. 58(1)(b)), to carry out a review on certifications (Art. 58(1)(c)), to notify the controller or processor of an alleged infringement (Art. 58(1)(d)), to obtain access to all personal data and information necessary (Art. 58(1)(e)), and to obtain access to any premises of the controller and processor, including data processing equipment (Art. 58(1)(f)).

DPA inspections may be triggered by data subject complaints, sector-wide enforcement campaigns, data breach notifications, random selection, media reports, or whistleblower reports. The consequences of inadequate inspection performance include corrective measures under Art. 58(2), administrative fines under Art. 83, and reputational damage through enforcement action publicity.

Sentinel Compliance Group maintains a standing DPA inspection readiness program that ensures the organization can respond effectively to announced and unannounced supervisory authority contact within defined timeframes.

Types of DPA Contact

Inspection Types

Type	Description	Notice Period	GDPR Basis
Written Inquiry	DPA sends written questions requiring documented responses	14-30 days typically	Art. 58(1)(a)
Announced Audit	Formal data protection audit with advance notice	2-8 weeks	Art. 58(1)(b)
Unannounced Inspection	On-site visit without prior notice	None	Art. 58(1)(f)
Complaint Investigation	Investigation triggered by data subject complaint	Variable; often begins with written inquiry	Art. 57(1)(f), 77
Breach Investigation	Investigation following a breach notification under Art. 33	Days to weeks following notification	Art. 58(1)(a), (e)
Sector Sweep	Coordinated investigation across multiple organizations in a sector	Varies by DPA	Art. 57(1)(a), 58(1)(b)
Prior Consultation Follow-Up	DPA follow-up on an Art. 36 prior consultation	Variable	Art. 36(2)

Common DPA Investigation Triggers

Trigger	Likelihood	DPA Approach
Data subject complaint	High	Written inquiry focused on specific processing; may escalate to audit
Breach notification (Art. 33)	High	Written questions; on-site audit if breach is significant
Media coverage	Medium	Preliminary inquiry; may escalate based on findings
Sector-wide campaign	Medium	Standardized questionnaire sent to multiple organizations simultaneously
Whistleblower report	Medium	Targeted investigation, possibly unannounced
Random selection	Low-Medium	Full compliance audit; common in some DPAs (e.g., CNIL, AEPD)
Prior consultation obligation	Low	Follow-up on DPIA consultation outcomes

Document Readiness Checklist

Core Documents (Must Be Immediately Available)

#	Document	GDPR Reference	Location	Owner	Last Updated
1	Records of Processing Activities (Controller)	Art. 30(1)	OneTrust RoPA module	DPO	Quarterly
2	Records of Processing Activities (Processor)	Art. 30(2)	OneTrust RoPA module	DPO	Quarterly
3	Privacy Policy (all versions, change history)	Art. 13-14	Legal document repository	Legal	Per change
4	Data Protection Impact Assessments (all)	Art. 35	DPIA register	DPO	Per assessment
5	Data Processing Agreements (all processors)	Art. 28	Contract management system	Legal/Procurement	Per agreement
6	Legitimate Interest Assessments (all)	Art. 6(1)(f)	LIA register	Legal	Per assessment
7	International Transfer Mechanisms (SCCs, BCRs, TIAs)	Art. 44-49	Transfer register	Legal	Per transfer
8	Breach Notification Records (all incidents)	Art. 33-34	Incident management system	CISO/DPO	Per incident
9	DSAR Records (all requests and responses)	Art. 12-22	DSAR management system	Privacy Ops	Per request
10	Consent Records (collection, withdrawal, preferences)	Art. 7	CMP database	Privacy Ops	Continuous
11	DPO Appointment Documentation	Art. 37-39	HR/Legal	Legal	Annual review
12	Privacy Training Records (all employees)	Art. 39(1)(b)	LMS	HR/Privacy	Per completion
13	Data Protection Policy and Procedures Manual	Art. 24(2)	Policy repository	DPO	Annual
14	Information Security Policy	Art. 32	Policy repository	CISO	Annual
15	Vendor Risk Assessment Records	Art. 28(1)	Vendor management platform	Procurement	Per assessment

Supporting Documents (Available Within 24 Hours)

#	Document	GDPR Reference	Owner
16	Data flow diagrams and system architecture	Art. 30, 35(7)(a)	IT Architecture
17	Data classification inventory	Art. 5(1)(c), (e)	Data Governance
18	Retention schedule with legal basis for each period	Art. 5(1)(e)	Records Management
19	Privacy committee meeting minutes (last 24 months)	Art. 24(1)	DPO
20	Internal audit reports (privacy-related)	Art. 24(1)	Internal Audit
21	Privacy risk register	Art. 24(1), 32(1)	DPO
22	Employee privacy policy (workplace monitoring, BYOD)	Art. 13-14	HR/Legal
23	Cookie audit results and CMP configuration	ePrivacy Directive Art. 5(3)	Marketing/IT
24	Sub-processor lists (per processor)	Art. 28(2)	Procurement
25	Privacy by design documentation for recent projects	Art. 25	IT/Engineering
26	Supervisory authority correspondence history	Art. 31	DPO
27	Certification and code of conduct documentation	Art. 42, 40	DPO
28	Cross-border enforcement cooperation records	Art. 60-66	Legal
29	EU representative appointment (if applicable)	Art. 27	Legal
30	Binding Corporate Rules (if applicable)	Art. 47	Legal

Document Readiness Scoring

Readiness Level	Criteria	Score
Green (Ready)	Document exists, is current (reviewed within policy cycle), easily retrievable, and in presentable format	3
Yellow (Partially Ready)	Document exists but is overdue for review, incomplete, or requires compilation from multiple sources	2
Red (Not Ready)	Document does not exist, is significantly outdated, or cannot be located	1
N/A	Document is not applicable to the organization	—

Readiness Score: Sum of all applicable document scores / (3 × number of applicable documents) × 100

Target: >90% Green readiness at all times

Interview Preparation

Key Personnel Interview Readiness

DPAs typically interview the following roles during inspections:

DPO / CPO Interview Preparation

Topics to be prepared for:

Topic	Key Points to Communicate	Evidence to Have Ready
DPO Role and Independence	DPO reports to highest management level; no instructions regarding exercise of tasks; not dismissed for performing tasks; provided adequate resources	DPO appointment letter, organizational chart, budget records, board reporting schedule
Privacy Program Overview	Structured program with governance, policies, training, monitoring, and continuous improvement	Privacy program charter, annual plan, maturity assessment
Risk Management	Systematic risk identification, DPIA program, risk register, residual risk management	DPIA register, risk assessment methodology, risk register extract
Regulatory Compliance	Multi-jurisdictional compliance framework, regulatory change management, gap analysis	Compliance matrix, regulatory tracker, gap remediation status
Data Subject Rights	Established DSAR procedures with SLA tracking, quality review, and escalation	DSAR metrics, sample responses (redacted), process documentation
International Transfers	Transfer mapping, appropriate safeguards, TIA methodology	Transfer register, TIAs, SCC execution records

DPO Interview Principles:

1. Answer questions factually and precisely; do not volunteer information beyond what is asked
2. If uncertain about a specific detail, state that you will verify and provide a documented response
3. Refer to documented policies and procedures rather than describing informal practices
4. Demonstrate accountability: acknowledge gaps honestly and describe remediation plans
5. Keep a contemporaneous record of all questions asked and answers provided

IT/CISO Interview Preparation

Topics to be prepared for:

Topic	Key Points	Evidence
Security Measures (Art. 32)	Encryption (at rest, in transit), access controls, logging, patch management, vulnerability management	Security architecture diagram, encryption configuration, RBAC matrix, pen test results
Breach Detection and Response	SIEM configuration, detection rules, incident response plan, notification procedures	SIEM dashboard, incident response plan, tabletop exercise records
Data Deletion and Retention	Technical enforcement of retention periods, secure deletion methods, backup deletion	Deletion job logs, NIST SP 800-88 compliance, retention automation configuration
Access Management	Identity and access management, privileged access controls, access reviews, deprovisioning	IAM configuration, access review records, deprovisioning SOP
Pseudonymisation and Anonymisation	Techniques used, reversibility assessments, key management	Technical documentation, anonymisation risk assessments

Business Process Owner Interview Preparation

Topics to be prepared for:

Topic	Key Points	Evidence
Processing Purpose and Lawful Basis	Clearly articulate why data is collected and processed; identify lawful basis	RoPA entry, LIA (if legitimate interest), consent records (if consent)
Data Minimisation	Explain why each data element is necessary	Data element justification per purpose
Data Subject Information	How data subjects are informed about the processing	Privacy notice, layered notices, just-in-time notifications
Retention	How long data is kept and why	Retention schedule, legal basis for retention periods
Third-Party Sharing	Who receives the data and why	Recipient list, DPAs, data flow diagrams

Interview Conduct Protocol

Before the Interview:

1. Legal counsel confirms scope of the investigation and the DPA's legal authority
2. Identify interviewees and brief them on the topics likely to be covered
3. Prepare evidence binders or digital folders organized by topic
4. Designate a note-taker to create contemporaneous records
5. Brief interviewees on the interview principles (factual, precise, no volunteering)

During the Interview:

1. Introduce participants with names and roles
2. Confirm the DPA's scope and legal basis for the inspection
3. Request that questions be provided in writing where possible
4. Ask for clarification if questions are ambiguous
5. Note-taker records all questions and answers verbatim
6. Do not provide original documents; provide copies or controlled access
7. If a question requires research, commit to a specific response deadline (typically 5-10 business days)
8. Do not speculate or hypothesize; stick to documented facts

After the Interview:

1. Debrief internally within 24 hours
2. Finalize and distribute interview notes
3. Identify follow-up commitments and assign owners
4. Begin preparing any committed responses or documents
5. Update the DPA correspondence log

Technical Demonstration Procedures

Common Technical Demonstrations Requested by DPAs

Demonstration	What the DPA Wants to See	Preparation Steps
DSAR Fulfillment	End-to-end DSAR processing from intake to response	Prepare test DSAR in staging environment; walk through each step; show identity verification, data retrieval from all systems, response review, and delivery
Consent Management	Consent collection, storage, withdrawal processing	Show CMP configuration; demonstrate consent capture; show consent database records; demonstrate withdrawal processing and downstream enforcement
Data Deletion	Technical deletion process upon retention expiry or erasure request	Show deletion job configuration; demonstrate deletion execution in staging; show verification that data is unrecoverable; address backup deletion
Access Controls	RBAC configuration for personal data access	Show IAM system; demonstrate role assignments; show access review process; demonstrate that unauthorized users cannot access PII
Encryption	Encryption at rest and in transit for personal data	Show database encryption configuration; demonstrate TLS certificate deployment; show key management procedures
Breach Detection	How breaches are detected and assessed	Show SIEM rules; demonstrate alert workflow; walk through a simulated breach scenario
Logging and Audit Trail	Access logging for personal data	Show log configuration; demonstrate log review process; show log retention and integrity controls

Demonstration Environment Preparation

1. Staging Environment: Maintain a staging environment with anonymized data that mirrors production for demonstrations
2. Test Accounts: Pre-configure test accounts with appropriate roles for demonstration
3. Walk-Through Scripts: Prepare step-by-step demonstration scripts for each system
4. Screen Recording: Be prepared to provide screen recordings if the DPA requests
5. Technical Support: Ensure system administrators and developers are available during demonstrations

Response Protocols

Unannounced Inspection Protocol

DPA Arrives On-Site
  ↓
Reception notifies DPO/Legal (immediate phone call)
  ↓
DPO/Legal arrives at reception within 15 minutes
  ↓
Verify inspector credentials (official ID, authorization letter)
  ↓
Confirm scope of inspection (which processing activities, which legal basis)
  ↓
Escort inspectors at all times (never leave unaccompanied)
  ↓
Provide requested documents (copies, not originals)
  ↓
Designate meeting room for interviews
  ↓
Note-taker present at all interactions
  ↓
Do not obstruct (Art. 83(5)(e): failure to cooperate is fineable)
  ↓
At conclusion: obtain list of follow-up requests and deadlines
  ↓
Internal debrief within 2 hours of departure

Written Inquiry Response Protocol

Written Inquiry Received (email, letter, secure portal)
  ↓
DPO acknowledges receipt within 2 business days
  ↓
Legal reviews the inquiry for scope and legal basis
  ↓
DPO assigns response owner(s) for each question
  ↓
Response drafting (owner gathers evidence, drafts responses)
  ↓
DPO reviews draft responses for accuracy and completeness
  ↓
Legal reviews for legal privilege, scope compliance, and strategic considerations
  ↓
Senior management approves (if required by response materiality)
  ↓
Response submitted via the DPA's specified channel
  ↓
Response logged in DPA correspondence register
  ↓
Deadline: per DPA instruction (typically 14-30 days; request extension if needed)

Escalation Matrix

Situation	Escalation Level	Action
Routine written inquiry	DPO + responsible business unit	Standard response process
Announced audit	DPO + Legal + CISO + CPO	Formal preparation, legal strategy session
Unannounced inspection	DPO + Legal + CPO + CEO notification	Immediate response protocol
Complaint investigation (material)	DPO + Legal + business unit head	Targeted response, root cause analysis
Breach investigation	DPO + Legal + CISO + CPO + CEO	Full incident response team activation
Formal enforcement proceedings	DPO + Legal + external counsel + CPO + CEO + Board notification	Legal defense strategy, external counsel engagement

Post-Inspection Follow-Up

Immediate Follow-Up (Within 1 Week)

1. Complete and distribute comprehensive inspection notes
2. Create an action register of all commitments and deadlines
3. Assign owners for each follow-up item
4. Begin preparing committed documents and responses
5. Identify potential findings based on DPA questions and areas of focus
6. Engage external counsel if enforcement action is likely

Response to DPA Findings

When the DPA issues findings or recommendations:

DPA Action	Required Response	Timeline
Informal recommendation	Voluntary implementation; document decision	30-60 days
Formal warning (Art. 58(2)(a))	Acknowledge; implement corrective measures; report back	Per DPA instruction
Order to comply (Art. 58(2)(c)-(j))	Implement required changes; report compliance	Per DPA instruction (typically 30-90 days)
Administrative fine (Art. 83)	Pay fine OR appeal; implement corrective measures regardless	Payment per DPA instruction; appeal within national deadline
Processing ban (Art. 58(2)(f))	Immediately cease processing; implement required measures; request lifting of ban	Immediate; restoration upon compliance demonstration

Lessons Learned Process

After every DPA interaction:

1. Document the complete interaction timeline
2. Assess the effectiveness of the readiness program
3. Identify documentation or process gaps exposed by the inspection
4. Update document readiness checklists based on DPA requests
5. Update interview preparation materials based on questions asked
6. Conduct refresher training for key personnel
7. Update the inspection readiness program
8. Share anonymized lessons learned with the privacy team

Sentinel Compliance Group DPA Inspection Readiness

• Document Readiness Score: 94% Green (28 of 30 documents Green; 2 Yellow: sub-processor lists for two vendors pending update)
• Interview Readiness: DPO, CISO, and 5 business process owners complete annual interview preparation refresher; last refresher December 2024
• Technical Demonstration: Staging environment maintained with weekly sync from production (anonymized); demonstration scripts current for all 7 common scenarios
• Response Protocol Testing: Annual tabletop exercise simulating unannounced inspection; last exercise November 2024; 3 improvement items identified and remediated
• DPA Interaction History: 4 interactions in 2024 (2 complaint investigations, 1 sector sweep questionnaire, 1 breach follow-up inquiry); all resolved satisfactorily with no formal enforcement action
• Response Time Performance: Average time from DPA inquiry to submitted response: 11 business days (target: within DPA-specified deadline, typically 14-30 days)
• Unannounced Inspection Readiness: Reception staff trained on initial response protocol; DPO reachable within 15 minutes during business hours; after-hours DPO on-call rotation established