Iubenda logo
Start generating


Table of Contents

GDPR Audit Checklist

The General Data Protection Regulation imposed many legal requirements on businesses, and navigating your GDPR compliance journey can be quite overwhelming. Our GDPR Audit Checklist simplifies this process, offering a step-by-step guide for assessing your own internal data processes and meeting GDPR obligations. Let’s get started!

What is a GDPR audit?

A GDPR data audit refers to a comprehensive evaluation of an organization’s data protection practices. The goal of this audit is to ensure compliance with the General Data Protection Regulation, introduced in 2018 to safeguard EU citizens’ data privacy rights.
A GDPR data audit looks at an organization’s data handling processes, including collection, storage, transfer, and deletion. It should also examine whether the processing is really needed, and whether it is lawful. In fact, the organization must adhere to the 7 GDPR principles such as lawfulness, purpose limitation and data minimization.
During a GDPR audit, you will assess your organization’s data procedures, including your ability to satisfy the rights of data subjects, to handle a data breach or to have appropriate security measures in place for protecting the data. You might find some things to improve in order to be fully compliant!
Finally, a GDPR audit also reviews an organization’s accountability and governance structures, looking at designating a Data Protection Officer (DPO) or how data protection impact assessments (DPIAs) are conducted.

💡 The objective of a GDPR audit is to help an organization identify gaps or risks in their data practices, define action plans to fix those, and demonstrate compliance to regulators, thereby reducing the risk of hefty fines and reputational damage resulting from non-compliance.

gdpr audit

Are audits required by GDPR?

Internal data audits are not explicitly mandated by the GDPR. However, they are strongly recommended and a good practice that many companies undertake because the regulation places such a strong emphasis on taking responsibility for what you do (accountability).

That’s why audits are an essential measure to implement in an organization in order to ensure compliance with the GDPR’s principles and obligations. They help you take a look at your current practices and procedures, to see if they are in line with the requirements of the GDPR.

How to do a GDPR data audit?

Performing a GDPR data audit involves a systematic review of an organization’s data processing activities. Begin by identifying and documenting all data processes, including the types of personal data collected, purposes and legal justifications, and third-party sharing. Assess the legal basis for each processing activity and ensure data minimization by collecting only necessary data. Evaluate the integrity and security measures in place to protect personal data from unauthorized access or alteration.
From an organizational standpoint, consider the appointment of a Data Protection Officer (DPO) and involve them in the audit process. Review privacy policies and notices to ensure they are up-to-date and compliant with latest requirements. Also assess procedures for handling data subject rights, security measures and maintain comprehensive records of data processing activities, as well as of consents obtained.
You can also consider implementing training programs to educate employees about data protection obligations. Keep monitoring and improving processes to adapt to changing technology and regulations.

Looking for a quick way to check your website’s GDPR compliance rating?
Scan your site to get your personal compliance report!

Scan your website now

It’s free & only takes a few seconds

Your GDPR Audit Checklist

An audit can seem like a daunting task to tackle. That’s why we found it useful to break it down to different focus areas that you should take a look at within your organization during a data audit. Let’s get started!

#1 Lawful Basis and Transparency

✅ Make sure to have a legal basis for processing data.

If as an organization you process personal data, the GDPR (Article 6) requires you to have a legitimate reason to do so (called legal basis).

When performing your GDPR audit, make sure to have valid reasons for processing all the data you collect. This ties into another important GDPR principle called data minimization, which is worth mentioning here.

This concept states that you should only gather personal information that is directly relevant and essential to achieving a particular objective. You should also only keep the data for as long as is required to fulfill that objective.

  • The user has given consent for one or more specific purposes (often the safest bet and the legal basis that many businesses choose).
  • The data processing is necessary for the performance of a contract or in order to take steps prior to entering the contract.
  • The processing is necessary for fulfilling a legal obligation to which the data controller is subject.
  • The processing is necessary for protecting the vital interests of the user or of another person.
  • The processing is necessary for performing a task carried out in the interest of the public or as contained under the official authority given to the data controller.
  • The processing is necessary for the legitimate interests of the data controller or third party, except where overridden by the interests, rights and freedoms of the user, in particular where the user is a child.

💡 Legal bases chosen by businesses MUST legitimately apply. If they do not, harsher penalties could be given.

✅ Meet disclosure and transparency requirements with a privacy policy.

The GPDR requires you to be transparent on your data collection practices and duly inform your users. This is typically done via a privacy policy.

This legal document should state the ways in which your website or app collects, processes, stores, shares and protects user data, the purposes for doing so and the rights of the users in that regard.

It should be easily understandable, clear, and up-to-date.

To see what a privacy policy should look like, check out our privacy policy template.

👋 Don’t have a proper privacy policy?

Generate one now 🚀

#2 User Rights

✅ Do you know the GDPR User Rights? Ensure systems are in place to honor Data Subject Rights.

These rights, typically referred to in the GDPR as “data subject rights” are a core part of GDPR compliance. Making sure you understand what each means, and that you have the technical and procedural capacity to fulfil them is critical.

In an effort to ensure individuals have control over their own data, the regulation allows individuals to take some steps toward the personal data businesses have on them.

It has granted them a list of 8 data subject rights:

  • right to be informed,
  • right of access,
  • right to rectification,
  • right to erasure,
  • right to restrict processing,
  • right to data portability,
  • right to object,
  • rights related to automated decision-making and profiling.

Of course, just knowing the 8 rights is not enough. You need to have processes in place to actually follow through on them. For example, you need to be able to fulfill Data Subject Access Requests (DSAR), which is a written request individuals can send you to receive more information or exercise their rights. The request should be fulfilled without undue delay and, at the latest, within one month of receiving it.

✅ Relying on Consent? Keep GDPR-compliant consent records.

Because consent under the GDPR is such an important issue, it’s mandatory that you keep clear records and that you’re able to demonstrate that the user has given consent; should problems arise, the burden of proof lies with the data controller, so keeping accurate records is vital.

The records should include:

  • who provided the consent;
  • when and how consent was acquired from the individual user;
  • the consent collection form they were presented with at the time of the collection;
  • which conditions and legal documents were applicable at the time that the consent was acquired.

Keep track of opt-in or opt-out requests. An example of opt-out is anytime a user removes their consent from a data collection activity, such as a marketing newsletter. In this case, the individual unsubscribes, and you must honor their request and not contact them again.

👉 We recommend using a Consent Management Platform for easily keeping records.

#3 Accountability and Governance

✅ Consider appointing a Data Protection Officer (DPO).

The Data Protection Officer (DPO) is an expert in data protection law. Their role is to help the data controller or processor set up, apply and monitor a data protection strategy in line with GDPR legal requirements.

The DPO should also have knowledge of IT process management, data security, and other important matters related to handling personal and sensitive data.

The GDPR requires designation of a DPO in the following cases:

  • Where there is large-scale regular and systematic monitoring of users;
  • Where the processing is carried out by a public authority (except for courts or independent judicial authorities);
  • Where the organization is performing complex operations with user data (in particular sensitive user data).

The decision to appoint a DPO depends not only on the number of employees but also on the nature of the data processing activities. If your organization does not fall into these categories, appointing a DPO is not mandatory.

💡 Want to know what to look for when choosing your DPO? Read our guide here!

✅ If based outside the EU, appoint an EU-representative.

You have to appoint an EU-representative established in one of the EU countries your users are based in if you are based outside of the EU and:

  • are offering goods or services (even for free) to EU-based users; or
  • are monitoring their behaviour as far as it’s taking place within the EU.

The EU-representative can be a natural or legal person.

The EU-representative handles all inquiries, requests, or claims from individuals or supervisory authorities against the controller. They forward any such inquiry, along with related information, to the controller.

They also assist the controller with GDPR compliance, including reporting data breaches and cooperating with supervisory authorities. However, the controller, not the representative, is ultimately responsible for data processing activities. The EU-representative also has their own obligations, such as maintaining records of processing activities.

💡 The GDPR requires you to appoint the EU-representative “in writing”. Check out our standard appointment agreement template.

✅ Set up Data Processing Agreements with your Processors.

Under the GDPR, a processor is defined as any person or legal entity involved in processing personal data on behalf of the controller.

What is a Data Processing Agreement then, and when is it needed? This document certifies your processor agrees to handling the data on your behalf in a lawful way, in line with your requirements and GDPR’s requirements.

The agreement must be put in writing – including in electronic form (GDPR Article 28). It defines roles and responsibilities regarding data processing. Processors must follow controllers’ instructions, implement security measures, and cooperate on inquiries and actions.

However, big companies that are well-known processors like Mailchimp, often already have a Data Processing Agreement linked to their Terms. When you sign up for their services, you then agree to these Terms. Here is Mailchimp’s Data Processing Addendum.

💡 In short, if you have processors that handle data on your behalf, you should have this agreement in place.

The GDPR introduces joint liability (Article 82) for controllers and processors regarding third parties. If data subjects believe their data was unlawfully processed, they can seek compensation from either party, who can then seek recourse from the other.

🚨 Consider cross-border data transfers

Data transfers of EU residents outside the European Economic Area (EEA) are allowed only when the “destination” country meets certain requirements in accordance with the GDPR.

The nation or area to which the data is being transferred must have an “adequate” level of personal data protection by EU standards.

The United States for instance, does not at the moment have an adequate data protection level. The EU and the US government are currently in talks to have a framework in place. Follow the progression on this on our guide.

When transferring data to countries that don’t meet these requirements (“third-countries”), you need to use standard contractual clauses (SCCs).

#4 Data Security

✅ Follow GDPR Security Principles.

You can read all about the 7 GDPR principles here.

In short, you should:

  • be responsible for the data you collect;
  • collect the minimum data possible (only what is necessary for the purpose) and delete the one you no longer need;
  • store data for the shortest time needed to meet your purposes.

✅ Be clear on your internal security protocols.

The GDPR requires companies to implement “appropriate technical and organizational measures” for data security.

Some technical measures include encryption, firewalls, access controls (especially when you have multiple employees handling personal data). You should also have strong security systems and educate staff on data protection.

Also make sure to have a pre-defined process in place to notify authorities in case of data breaches or sensitive data exposures.

✅ Perform a Data Protection Impact Assessment.

Under Article 35 of the GDPR, a Data Protection Impact Assessment or DPIA is requiredwhen your data processing activities could pose a high risk to the rights and freedoms of users, for example when it comes to large-scale of sensitive data.

It’s a process for analyzing and minimizing the risks associated with personal data processing.

  • Full descriptions of the data processed;
  • The purpose of the processing activity;
  • An evaluation of the scope and necessity of the processing activity in relation to the purpose;
  • An assessment of the risk posed to users;
  • Measures in place to address that risk.

💡 The DPIA process should be recorded in writing. Take a look at our DPIA template here.

Start your GDPR Website Audit in minutes

Scan your website now

It’s free!

About us


Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.