Trying not to just restate the above, but....
This is an Internal Auditor, so should be easy. That person is in the bank watching the marketing go by. When I do this audit, I do exactly what was stated above, I look at the marketing materials for the last year, any contracts, and then I just have a conversation with our head of marketing and our head lender ... Are we collaborating with anyone else or providing customer lists to anyone else that I don't know about?
It's almost more clear to get together a list of those with whom we DO share .... like credit bureau companies, etc....and then hold that "sharing" up to the boxes checked on the privacy notice. The notice is either correct or not.