A GDPR compliance audit is an essential step to ensure companies comply with the General Data Protection Regulation (GDPR). Since it came into force in May 2018, the regulation imposes strict obligations on the processing of personal data in the European Union. But how do you make sure your company is compliant? This article walks you through the steps of a GDPR compliance audit and proposes solutions to protect your customers’ and partners’ data.
What is a GDPR compliance audit?
Definition and objectives
A GDPR compliance audit evaluates and reviews the personal-data processing activities inside a company. The objective is to ensure data is collected, processed and stored in compliance with GDPR rules. It guarantees the company respects the rights of data subjects and puts in place the security measures needed to protect data against breaches.
Why a GDPR audit is essential
A GDPR audit is crucial for several reasons:
- Legal compliance: non-compliance exposes companies to financial penalties of up to 20 million euros or 4% of global annual turnover.
- Reputation protection: a data breach can have disastrous consequences on a company’s reputation, especially now that personal-data protection has become a priority for consumers.
- Internal process optimisation: an audit surfaces gaps in data-management systems and enables corrective actions to improve the security of sensitive information.
When and why to run a GDPR compliance audit
Audit frequency
A GDPR compliance audit should be run regularly, depending on company size and changes in data processing practices. The CNIL (French data protection authority) recommends an annual audit to ensure the organisation stays aligned with regulatory evolutions. An audit may also be needed in specific contexts such as:
- A major change in the company’s processes (new projects, new data-processing tools, etc.).
- The arrival of new subcontractors or partners handling personal data.
- The integration of new regulations or updates to the GDPR.
Signs that it is time for an audit
Some situations may indicate it is time for a compliance audit:
- Changes in data protection legislation.
- Recurring security issues or data-breach incidents.
- A lack of visibility on the data processing activities the company performs.
Key steps of a GDPR compliance audit
Audit preparation
Preparation is a crucial phase — it sets the foundations and ensures all needed resources are available. Key points:
Define the audit’s objective: before starting, clearly understand what you want to audit. This can be a global audit of data-management practices, or a more targeted audit, for example on sensitive-data processing.
Assemble an audit team: set up an internal team or call on a specialised external consultant. The team should include members from different functions: DPO, CISO, representatives of the IT teams and business teams handling personal data. Cross-team collaboration is key to get a full picture.
Collect documentation: gather necessary documents such as:
- Record of processing activities: describes every data-processing activity in the company. Essential to start the audit.
- Privacy policy and other internal policies.
- Subcontractor agreements: must be reviewed to ensure partners also comply with GDPR.
- Data Protection Impact Assessments (DPIAs) for processing activities likely to result in high risks to individuals’ rights and freedoms.
Analyse data-processing activities
This step is the heart of the audit. Analyse in depth the data processed by the organisation and check compliance with GDPR requirements.
Identify the data collected: build a thorough inventory of every personal data item processed. This may include:
- Identification data: first name, last name, address, phone number.
- Financial data: bank details, payment information.
- Sensitive data: health information, ethnic origin, political opinions, etc.
Mapping of processing activities: document where and how this data is collected, processed, stored and shared. Each processing activity must be documented, considering:
- The purpose of the processing.
- The retention period.
- The legal bases that justify the processing (consent, contract, legal obligation, etc.).
Evaluate legal bases: each processing activity must be tied to a valid legal basis aligned with GDPR. Legal bases include:
- Explicit consent of data subjects.
- Performance of a contract to which the data subject is party.
- Compliance with a legal obligation (for example, tax obligations).
Evaluate retention periods: GDPR requires that data not be kept longer than necessary for the purpose for which it was collected. An audit must verify that retention and deletion policies are in place and actually applied.
Check data-subject rights
Data-subject rights are a central pillar of GDPR. The audit must ensure the company can respect these rights within the regulatory deadlines.
Right of access: data subjects must be able to access their data easily and obtain information on how it is processed — the purpose, the recipients and the retention period.
Right to rectification: the company must allow data subjects to correct their data if inaccurate or incomplete. The audit must verify that a simple process exists for this.
Right to erasure (right to be forgotten): allows data subjects to request deletion of their data under certain conditions (data no longer necessary, consent withdrawn, etc.). The audit verifies these requests are handled within a reasonable timeframe and that procedures are documented.
Right to data portability: data subjects must be able to retrieve their data in a structured, commonly used, machine-readable format, to transfer it to another controller. The audit must ensure this right is operational.
Right to restriction of processing: the company must allow individuals to restrict use of their data in certain cases (for example, when data accuracy is contested).
Review security measures
GDPR requires appropriate technical and organisational measures to ensure a security level fit for the risk. During the audit, verify the security controls in place to protect personal data.
Data encryption: verify whether sensitive data is encrypted, especially during transfer over public networks or in storage.
Access controls: only authorised people must access personal data. The audit should evaluate access-management policies, including role-based access control (RBAC).
Anonymisation and pseudonymisation: in some cases, anonymising or pseudonymising data limits the risk in case of a leak or unauthorised access. The audit verifies these techniques are properly used.
Continuity plans and incident management: the audit must ensure disaster-recovery plans are in place and that data breaches are reported to the competent authorities (e.g., CNIL) within 72 hours of discovery, as required by GDPR.
Audit report and action plan
Once the audit is complete, the team drafts a detailed report presenting the findings and the actions needed to fix identified non-compliance.
Findings summary: the report must provide an overall view of the company’s compliance status, highlighting strengths and gaps.
Prioritisation of corrective actions: all non-compliance items must be ranked by impact on data security and risk to data subjects’ rights.
Action plan: a correction plan must be drafted to close the gaps. Each action should be assigned to a team or person, with clear deadlines.
Action follow-up: once the action plan is in place, regular follow-up is essential to ensure corrective measures are implemented and the company stays compliant.
Tools and solutions to run an effective GDPR audit
Manual tools and software for compliance audits
Several tools make running a GDPR audit easier:
- Specialised SaaS solutions automate compliance follow-up and simplify the management of risks tied to personal data.
- Processing-management software lets you centralise and document every piece of information related to personal data, enabling better compliance governance.
Integrate GDPR compliance into the overall cybersecurity strategy
Don’t treat GDPR in isolation — integrate it into an overall cybersecurity strategy. With a unified approach, the company complies with regulatory requirements and protects its information systems against external threats. Solutions that cover both cybersecurity and regulatory compliance provide an effective overview to steer both aspects centrally.
Common mistakes to avoid in a GDPR compliance audit
Neglecting certain types of sensitive data
Some companies underestimate the importance of certain data, such as indirect data or data contained in unstructured files (emails, Excel files, etc.). Map every piece of data processed to leave nothing out.
Not involving every stakeholder
An effective GDPR audit requires participation from every relevant team: DPO, IT managers, but also HR and business teams that handle data day-to-day.
Underestimating subcontractors
Subcontractors processing data on behalf of the company must also undergo strict checks. Review their subcontracting agreements and ensure they comply with GDPR requirements.
A GDPR compliance audit is a key step to ensure your company respects applicable data-protection rules. By following the steps detailed in this article and adopting a dedicated compliance-management solution, you can not only avoid financial penalties but also protect your company’s reputation and strengthen customer trust.
FAQ
What is the difference between an internal and an external GDPR audit?
An internal audit is performed by the company’s own teams, while an external audit is run by an external provider or a specialised consulting firm.
How long does a GDPR compliance audit take?
Duration depends on company size and the complexity of its processing activities. It can range from a few days to several weeks.
What penalties apply for GDPR non-compliance?
Penalties can reach up to 20 million euros or 4% of global annual turnover, based on the severity of the violations.
What is the DPO’s role in a GDPR compliance audit?
The DPO is the main party responsible for GDPR compliance. They coordinate the audit and ensure the company takes the necessary steps to comply with data-protection rules.
