GDPR Compliance Audit
What is a GDPR compliance audit?
The purpose of a GDPR compliance audit is to help organisations ensure that they are meeting their obligations under the GDPR and to identify areas where they may need to make improvements.
How often should a GDPR compliance audit be conducted?
GDPR compliance audit checklist
Under the Regulation, personal data must be processed according to six principles:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality
These are underpinned by the principle of accountability. If you are a data controller, you must keep certain records to demonstrate your compliance.
An audit should consider the extent to which data protection accountability, responsibility, policies and procedures, performance measurement controls and reporting mechanisms are in place and operating throughout your organisation.
Organisations must take a risk-based approach to implementing “appropriate technical and organisational measures”, which includes conducting DPIAs (data protection impact assessments) in certain circumstances. DPIAs are a type of risk assessment that identifies the risks to and likely effects of processing on the security of personal data.
A GDPR audit should examine:
- Whether privacy risk is included in your corporate risk register;
- What corporate arrangements for privacy risk management are in place;
- To what extent the corporate risk regime incorporates information-specific risks; and
- Which risks to the rights and freedoms of natural persons are addressed.
Your compliance project is much more likely to run into difficulties without board-level support. Complying with the GDPR requires effort across the whole organisation and must be led from the very top. An audit should examine the GDPR project to see if it is realistic and achievable.
- DPO (data protection officer)
The GDPR requires the appointment of a DPO:
- Where processing is carried out by a public authority or body;
- Where the organisation’s core activities require regular and systematic monitoring of data subjects on a large scale; or
- Where core activities involve large-scale processing of sensitive personal data or data relating to criminal convictions or offences.
In many cases, it is desirable to appoint a DPO irrespective of the legal requirement to do so, although the DPO has the same legal status whether the appointment is voluntary or mandatory.
An audit should determine whether a DPO is mandatory, has been appointed, and is positioned appropriately and capable of delivering against the GDPR’s requirements.
An audit should examine the roles and responsibilities defined throughout the organisation, the training and awareness measures in place, and the effectiveness of onboarding and offboarding processes.
The scope of compliance must be clearly defined, taking into account all data processing in which the organisation is involved as a controller or processor, as well as any data-sharing activity.
All databases containing personal data, all processing activities and all extraterritorial/cross-border processing should be identified to determine the scope of compliance. An audit should examine these activities.
Article 30 of the GDPR requires controllers to maintain records of all processing activities. An audit should examine these records to determine how well each data processing principle is established for each process that involves personal data, taking into account the lawful bases for processing, any processes for which a DPIA is mandatory, and for which processes a DPIA might help establish data protection by design and by default.
For most organisations, complying with the GDPR will require a lot of documentation, such as a data protection policy, data breach notification procedure, subject access request forms and procedures, DPIAs, and consent forms to demonstrate compliance. The size and complexity of your organisation determines the amount of documentation required.
A PIMS will order that documentation appropriately and should also address staff awareness training. ISO 27701 is the international standard that specifies the requirements for a PIMS and is aligned with the requirements of the GDPR.
Do you have adequate security measures in place to protect personal data in hard copy or electronic form, or processed through your systems? This should include a review of methodologies for testing security, and established cyber security certifications, standards and codes of practice.
The international standard ISO 27001:2013 sets out the requirements of an ISMS, against which organisations can achieve independently audited certification to demonstrate their compliance.
Find out more about implementing an ISO 27001-compliant ISMS
Under the GDPR, data subjects have the following rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision-making and profiling
To what extent have you implemented processes that enable you to both facilitate and respond to data subjects exercising any or all of these rights?
Ensure your organisation is GDPR compliant
Our privacy specialists will assess your data privacy and information security practices against regulatory requirements, ICO (Information Commissioner’s Office) guidance and IT Governance best practice.