The General Data Protection Regulation imposed many legal requirements on businesses, and navigating your GDPR compliance journey can be quite overwhelming. Our GDPR Audit Checklist simplifies this process, offering a step-by-step guide for assessing your own internal data processes and meeting GDPR obligations. Let’s get started!
Short on time? Jump to ⬇️
A GDPR data audit refers to a comprehensive evaluation of an organization’s data protection practices. The goal of this audit is to ensure compliance with the General Data Protection Regulation, introduced in 2018 to safeguard EU citizens’ data privacy rights.
A GDPR data audit looks at an organization’s data handling processes, including collection, storage, transfer, and deletion. It should also examine whether the processing is really needed, and whether it is lawful. In fact, the organization must adhere to the 7 GDPR principles such as lawfulness, purpose limitation and data minimization.
During a GDPR audit, you will assess your organization’s data procedures, including your ability to satisfy the rights of data subjects, to handle a data breach or to have appropriate security measures in place for protecting the data. You might find some things to improve in order to be fully compliant!
Finally, a GDPR audit also reviews an organization’s accountability and governance structures, looking at designating a Data Protection Officer (DPO) or how data protection impact assessments (DPIAs) are conducted.
💡 The objective of a GDPR audit is to help an organization identify gaps or risks in their data practices, define action plans to fix those, and demonstrate compliance to regulators, thereby reducing the risk of hefty fines and reputational damage resulting from non-compliance.
Internal data audits are not explicitly mandated by the GDPR. However, they are strongly recommended and a good practice that many companies undertake because the regulation places such a strong emphasis on taking responsibility for what you do (accountability).
That’s why audits are an essential measure to implement in an organization in order to ensure compliance with the GDPR’s principles and obligations. They help you take a look at your current practices and procedures, to see if they are in line with the requirements of the GDPR.
Performing a GDPR data audit involves a systematic review of an organization’s data processing activities. Begin by identifying and documenting all data processes, including the types of personal data collected, purposes and legal justifications, and third-party sharing. Assess the legal basis for each processing activity and ensure data minimization by collecting only necessary data. Evaluate the integrity and security measures in place to protect personal data from unauthorized access or alteration.
From an organizational standpoint, consider the appointment of a Data Protection Officer (DPO) and involve them in the audit process. Review privacy policies and notices to ensure they are up-to-date and compliant with latest requirements. Also assess procedures for handling data subject rights, security measures and maintain comprehensive records of data processing activities, as well as of consents obtained.
You can also consider implementing training programs to educate employees about data protection obligations. Keep monitoring and improving processes to adapt to changing technology and regulations.
It’s free & only takes a few seconds
An audit can seem like a daunting task to tackle. That’s why we found it useful to break it down to different focus areas that you should take a look at within your organization during a data audit. Let’s get started!
If as an organization you process personal data, the GDPR (Article 6) requires you to have a legitimate reason to do so (called legal basis).
When performing your GDPR audit, make sure to have valid reasons for processing all the data you collect. This ties into another important GDPR principle called data minimization, which is worth mentioning here.
This concept states that you should only gather personal information that is directly relevant and essential to achieving a particular objective. You should also only keep the data for as long as is required to fulfill that objective.
💡 Legal bases chosen by businesses MUST legitimately apply. If they do not, harsher penalties could be given.
The GPDR requires you to be transparent on your data collection practices and duly inform your users. This is typically done via a privacy policy.
This legal document should state the ways in which your website or app collects, processes, stores, shares and protects user data, the purposes for doing so and the rights of the users in that regard.
It should be easily understandable, clear, and up-to-date.
To see what a privacy policy should look like, check out our privacy policy template.
These rights, typically referred to in the GDPR as “data subject rights” are a core part of GDPR compliance. Making sure you understand what each means, and that you have the technical and procedural capacity to fulfil them is critical.
In an effort to ensure individuals have control over their own data, the regulation allows individuals to take some steps toward the personal data businesses have on them.
It has granted them a list of 8 data subject rights:
Of course, just knowing the 8 rights is not enough. You need to have processes in place to actually follow through on them. For example, you need to be able to fulfill Data Subject Access Requests (DSAR), which is a written request individuals can send you to receive more information or exercise their rights. The request should be fulfilled without undue delay and, at the latest, within one month of receiving it.
Because consent under the GDPR is such an important issue, it’s mandatory that you keep clear records and that you’re able to demonstrate that the user has given consent; should problems arise, the burden of proof lies with the data controller, so keeping accurate records is vital.
The records should include:
Keep track of opt-in or opt-out requests. An example of opt-out is anytime a user removes their consent from a data collection activity, such as a marketing newsletter. In this case, the individual unsubscribes, and you must honor their request and not contact them again.
👉 We recommend using a Consent Management Platform for easily keeping records.
The Data Protection Officer (DPO) is an expert in data protection law. Their role is to help the data controller or processor set up, apply and monitor a data protection strategy in line with GDPR legal requirements.
The DPO should also have knowledge of IT process management, data security, and other important matters related to handling personal and sensitive data.
The GDPR requires designation of a DPO in the following cases:
The decision to appoint a DPO depends not only on the number of employees but also on the nature of the data processing activities. If your organization does not fall into these categories, appointing a DPO is not mandatory.
💡 Want to know what to look for when choosing your DPO? Read our guide here!
You have to appoint an EU-representative established in one of the EU countries your users are based in if you are based outside of the EU and:
The EU-representative can be a natural or legal person.
The EU-representative handles all inquiries, requests, or claims from individuals or supervisory authorities against the controller. They forward any such inquiry, along with related information, to the controller.
They also assist the controller with GDPR compliance, including reporting data breaches and cooperating with supervisory authorities. However, the controller, not the representative, is ultimately responsible for data processing activities. The EU-representative also has their own obligations, such as maintaining records of processing activities.
💡 The GDPR requires you to appoint the EU-representative “in writing”. Check out our standard appointment agreement template.
Under the GDPR, a processor is defined as any person or legal entity involved in processing personal data on behalf of the controller.
What is a Data Processing Agreement then, and when is it needed? This document certifies your processor agrees to handling the data on your behalf in a lawful way, in line with your requirements and GDPR’s requirements.
The agreement must be put in writing – including in electronic form (GDPR Article 28). It defines roles and responsibilities regarding data processing. Processors must follow controllers’ instructions, implement security measures, and cooperate on inquiries and actions.
However, big companies that are well-known processors like Mailchimp, often already have a Data Processing Agreement linked to their Terms. When you sign up for their services, you then agree to these Terms. Here is Mailchimp’s Data Processing Addendum.
💡 In short, if you have processors that handle data on your behalf, you should have this agreement in place.
The GDPR introduces joint liability (Article 82) for controllers and processors regarding third parties. If data subjects believe their data was unlawfully processed, they can seek compensation from either party, who can then seek recourse from the other.
🚨 Consider cross-border data transfers
Data transfers of EU residents outside the European Economic Area (EEA) are allowed only when the “destination” country meets certain requirements in accordance with the GDPR.
The nation or area to which the data is being transferred must have an “adequate” level of personal data protection by EU standards.
The United States for instance, does not at the moment have an adequate data protection level. The EU and the US government are currently in talks to have a framework in place. Follow the progression on this on our guide.
When transferring data to countries that don’t meet these requirements (“third-countries”), you need to use standard contractual clauses (SCCs).
You can read all about the 7 GDPR principles here.
In short, you should:
The GDPR requires companies to implement “appropriate technical and organizational measures” for data security.
Some technical measures include encryption, firewalls, access controls (especially when you have multiple employees handling personal data). You should also have strong security systems and educate staff on data protection.
Also make sure to have a pre-defined process in place to notify authorities in case of data breaches or sensitive data exposures.
Under Article 35 of the GDPR, a Data Protection Impact Assessment or DPIA is requiredwhen your data processing activities could pose a high risk to the rights and freedoms of users, for example when it comes to large-scale of sensitive data.
It’s a process for analyzing and minimizing the risks associated with personal data processing.
💡 The DPIA process should be recorded in writing. Take a look at our DPIA template here.
Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.
