What is a GDPR audit and what are the steps involved?

An audit is a procedure for monitoring a structure to identify and correct bad practices for GDPR compliance

Who is "concerned" by the GDPR ?

To understand what a GDPR audit is, you need to know that the General Data Protection Regulation was definitively put in place by the European Parliament on April 27, 2016. The regulation came into force in all EU member states on May 25, 2018. 

Structures whose main activities include the processing of personal data must guarantee their GDPR compliance. This includes all structures that regularly and systematically process sensitive or personal data, as well as those in the public sector. They must appoint a data protection officer (DPO).

The aim of a DPO is to draw up an action plan to bring a structure into compliance with the Data Protection Regulation. See Dipeeo's offer: outsourced DPO.

The GDPR applies to any organization, public or private, that processes personal data on its own behalf or otherwise, as long as it is established in the territory of the European Union or its activity directly targets European residents.

What is a GDPR audit? [Definition]

The GDPR audit is a procedure for monitoring a structure to take a global stock of whether all obligations in relation to the processing of personal data are complied with. The main objective is to identify unauthorized practices in order to stop them or make them compliant for the protection of personal data. This will make it possible to draw up recommendations for bringing the structure into compliance. This is the first step towards compliance with the General Data Protection Regulation.

GDPR compliance requires real expertise. It requires:

• Legal skills.
• Technical skills.

An audit will enable you to draw up an action plan for compliance. First, the audit will analyze the structure's current situation and compare it with the rules and obligations of the regulation. It will also identify any actions the company needs to take. In addition, this analysis will show what is in contradiction with the rules to be followed, which will highlight the potential dangers the structure could face. 

Carrying out a GDPR audit: is it "necessary"?

An audit is necessary to assess a structure's GDPR compliance. However, if no action has been taken and the subject has not yet been worked on, it is clear that the structure is not in compliance.

Carrying out an audit allows you to check whether your structure is GDPR compliant, but not only! It's a way of :

• To improve and secure your structure,
• To list the subjects that don't fit in with what's been set up,
• To identify bad practices,
• In order to correct these issues.

If you'd like to know whether your organization is compliant with the General Data Protection Regulation, but lack the legal and technical expertise, it's highly advisable to use a DPO (Data Protection Officer) to carry out an audit.

There are structures that offer rapid and comprehensive compliance, which nominate themselves to the CNIL (National Commission for Information Technology and Civil Liberties) as the structure's DPO, and support it for all GDPR topics for a reasonable price. (See our offer)

How is a GDPR audit carried out?

Step 1: Data protection audit

A. Controlling the collection of personal data

This audit will analyze how personal data is collected within the structure. One of the principles of the GDPR is prior consent or Opt-in, so carrying out an audit must necessarily check whether this basis is respected.

Prior consent is required for the collection and processing of B2C personal data for commercial prospecting purposes. This rule is different for B2B. For further details, please consult commercial prospecting rules.

B. Controlling the information system

An information system audit will locate the company's personal data, and help to understand how its data moves in and out of the company. It takes the form of an information system map. This mapping will list the types of data in the structure, and where they are stored. The Purpose is to understand how personal data and sensitive data, if any, are processed.

In other words, information system control will analyze the Purpose the data to then understand how the data is used. In this sense, the GDPR obliges all structures processing personal data within the European Union to have a processing register.

C. Checking the security of personal data for a GDPR audit

Carrying out an audit can be tedious, as technical expertise is required at this stage. The audit will check whether data security is reliable. The same applies to data storage and the reliability of IT processes.

Potential hazards and technological risks within the company will be identified. Of course, this includes the structure's databases, the structure's tools, the structure's applications, ... In short, all data processing will have to be checked to see if there are any anomalies.

It's also essential to put procedures in place after carrying out penetration tests. In the event of data leakage or other problems, corrective measures need to be put in place to secure the structure.

Stage 2: Legal audit

The legal audit is the second part of the audit. Its aim is to check whether the structure's documents comply with the regulation, and therefore whether it is necessary to set up an action plan to draw up documents such as a confidentiality policy or a processing register.

This part consists of checking that the company's GSC (General Sales Conditions) and main contracts are in conformity. Next, you'll need to check the mandatory information to be included on contact forms and contractual clauses.

Free GDPR audit!

An audit is very quick and easy to carry out.

Dipeeo offers a free GDPR audit for any type of structure! This audit lasts only 30 minutes and is carried out via videoconference.

If you would like a free audit, please click here or click on the button .

So you can check whether your structure is GDPR at no cost.