What privacy principles should internal auditors verify in cybersecurity programs under GDPR/CCPA?

The key idea is that a cybersecurity program under GDPR and CCPA should be audited against the complete set of privacy protections that govern how personal data is processed, not just a subset. GDPR outlines multiple intertwined principles and obligations that shape lawful, fair, and secure data processing. A proper audit looks at lawfulness of processing and purpose limitation to ensure data is only processed for legitimate, disclosed reasons. It also examines data minimization and accuracy to confirm that only necessary data is collected and kept correct, reducing risk from excess or erroneous information. Storage limitation checks ensure data isn’t retained longer than needed, while strong access controls verify that data is protected from unauthorized access and breaches. Beyond these, the ability to honor data subject rights—such as access, correction, deletion, and objection—must be supported by the program, so individuals can exercise their privacy rights. Breach notification readiness is essential for promptly detecting and reporting incidents, which is a core security and governance requirement. DPIAs (data protection impact assessments) are a proactive tool to identify and mitigate high-risk processing before it occurs, and cross-border transfer controls ensure transfers outside the jurisdiction meet safeguards to protect the data. Choosing a broader set of controls is necessary because focusing on only one or two principles leaves gaps that could expose the organization to regulatory noncompliance and privacy risk. A comprehensive review like this aligns the cybersecurity program with the full spectrum of GDPR/CCPA expectations.