Many companies tend to intermix the terms “Audit” and “Assessment”, but there is a clear difference. This will become clearer once official EU Certifications are defined for products or services.
An audit involves a “standard” such as GDPR and an explanation of how the activity should be performed. It is by nature prescriptive and defines how things should be done. The task of an auditor for Data Protection is firstly to verify that that the steps taken by the organisation to implement GDPR conforms to the regulation and secondly to verify that the steps defined are followed. An audit is therefore a control to check if the organisation is doing what is outlined in the regulation. Auditors are usually an Independent body.
An assessment does not involve a standard but uses a set of concepts, principles and flexible framework. These are used to define desirable outcomes but are non-specific on how they should be achieved. The objective of an assessment is to determine why a company has chosen to do things in a certain way and what other options are considered.