#

Back to Blog

How to conduct a GDPR compliance audit

by | Jan 8, 2021

A GDPR compliance audit may seem similar to a GDPR assessment. However, they are not the same. A GDPR assessment is an internal self-assessment done by your organization to measure your readiness and put improvements in place. An external GDPR audit comes from the European Commission’s Information Commissioner’s Office (ICO). Simply put, while an internal assessment carries no real risk, an external audit could reveal issues that result in sanctions placed on your organization. Doing regular internal GDPR assessments will go a long way in making sure that if you should undergo an external GDPR audit, voluntary or not, you will be better prepared.

GDPR Overview and Principles

Any organization that collects, stores, and processes the data of any European Union individuals, must adhere to General Data Protection Regulation (GDPR) regulations. The organization could be located anywhere around the world, but as long as it deals with the personal data of Europeans, the organization must comply with GDPR. It includes different requirements for companies that determine how data is to be processed, i.e. the purpose of processing personal data – who are also known as data controllers.

This does not only apply to data controllers, but also to data processors, who are companies (businesses) that process data for the controller. Therefore, in order to help with any GDPR compliance, only the absolute minimum amount of data that is needed, should be collected from your customers. And this data should be lawfully processed and protected.

What are the key standards of GDPR?

For any organization that processes data of EU citizens, they must familiarize themselves with the 6 basic principles of GDPR. These principles make up the legal framework for the GDPR act, that must be employed while processing the personal data of EU citizens. The principles include:

  1. Data minimization: Limiting the purpose of processing the data to what is deemed necessary and adequate.
  2. Limitation of purpose: This simply means that the legitimate or specific purpose of collecting data should not change. For example, further processing of data to serve historical, statistical, and scientific purposes doesn’t align with the initial purposes.
  3. Accuracy: Personal data must be accurate, and also kept up to date. As such, there should be plans to rectify and if possible, be erased in case of any inaccurate personal data.
  4. Confidentiality and Integrity: Personal data should be processed in a way in which there would be guaranteed security for individuals’ personal data. This includes protecting the data from unauthorized, unlawful processing and also from accidental loss or damages.
  5. Transparency, fairness, and lawfulness: Personal data must be processed lawfully. And the whole processing procedures must be transparent.
  6. Accountability: Also known as the controller, an organization that processes these data will be held responsible in case of any mishaps. And they must also demonstrate total compliance with the ruling.
  7. Storage limitation: Person data must only be stored for as long as there is still a need for it.

How to conduct a GDPR compliance audit

Any organizations that deals with the personal data of European Union citizens should perform regular GDPR compliance audits. GDPR has been in full effect since 2018, and has necessitated the need to perform regular internal audits to check the level of compliance with GDPR for all affected companies.

Performing a GDPR audit is very important, as it will also assist you in the event of a data breach or complaint. You may be wondering how an audit would be vital in a data breach event? The answer lies in the fact that in the vent of a breach if your organization’s audit documents are tendered, the penalties that leveled upon your company would most likely be reduced, due to the fact that you had performed an audit.

Not only this, performing a GDPR audit will help to:

  1. Ensure that appropriate data protection policies are enforced.
  2. Sniff out vulnerabilities in the system that could cause a data breach.
  3. Assessment of the internal controls.
  4. Monitor all the policies, principles, and procedures that have been validated. Whilst also making sure that all the policies are adhered to.
  5. Recommend change in policies, controls, and IT sectors.

Benefits of conducting a consensual GDPR compliance audit

Below are a few more advantages of auditing your company’s GDPR compliance.

  1. Help to raise awareness for data protection.
  2. Help to identify vulnerabilities in a company’s network that could threaten the personal data of the customers.
  3. Help to assess the organization’s compliance with the GDPR to avoid heavy penalties.
  4. Share knowledge for various improvements and future training.
  5. Document the commitment of management to understand and recognize the value of data protection.

Getting help with your GDPR compliance audit

Many companies found that getting an external auditor to help with GDPR audits is the best approach. However, this shouldn’t stop you from performing regular internal audits either, especially if you have the required resources and expertise in-house. Whatever your plans are, the goal is to improve your company’s posture in the eyes of a GDPR audit.

Preparing for a GDPR compliance audit

Your company’s GDPR audit will be dependent on several factors, including, your company’s scale of production, the volume of data and the type of data that your company deals with, etc. However, below are the basic steps that you need to follow:

  1. Proper documentation of all the types of data you are collecting.
  2. Limit the numbers of data that you collect.
  3. Fully understand how the data moves and where they are being stored.
  4. Assess potential risks of personal data breach
  5. Data Subject Access Requests (DSARs) procedures must be provided. That is when data owners request to have their data deleted or amended.

GDPR compliance audit documentation

A large part of GDPR compliance as a whole, is documentation. The following records are required to be kept by both data controllers and their representatives (in specific cases):

  • Descriptions of personal data categories and data subject categories;
  • Both the name and the contact details of the data controller;
  • The processing purpose;
  • Which categories of recipients would be shown the personal data to;
  • A general description of implemented security measures;
  • The specifications for international data transfers and the safeguards applied to it;
  • Data erasure time limits, and so on.

While this can technically only be applied to organizations that have over 250 people of staff, there are some exceptions to that rule, such as:

  • The data processing is not occasional;
  • Special categories of data are involved in the processing, or data related to criminal matters;
  • The data processing may result in a risk for the rights and freedoms of the data subject.

However, it’s always recommended to keep such records, even if you’re under 250 people of staff as it is an essential part of facilitating data subject rights. This also includes the records for lawful bases for processing, as well as any data processor agreements.

GDPR compliance audit checklist

Your company’s GDPR audit checklist will depend on several factors, your company’s scale of production, the numbers, and type of data that your company deals with, etc.

However, below are the cogent places where a GDPR audit would cover.

  1. Data Governance: This regulation talks about six principles that must be followed while processing the data of EU citizens. These principles ensure that all data are protected. They include Accuracy, data minimizations, Purpose Limitation, Integrity & Confidentiality, Storage limitation, Lawful Transparent, and fairness.
  2. Risk management: The GDPR charge companies that the GDPR applies to, to take a risk-based approach towards implementing appropriate technical measures. Conducting a data protection impact assessment (DPIAs) is part of the measure as this measure helps to identify risks and also mitigate it.
  3. GDPR project: GDPR compliance project is a very big one that would involve all your board members. This is because, without the board support, you might face difficulties.
  4. Role and responsibilities arrangement in an organization: GDPR audit should examine how roles and responsibilities are defined in an organization.
  5. Scope of compliance: Your scope of compliance must be clearly and accurately defined. This includes identifying the database that holds the personal information.
  6. Appointment and the responsibility of a Data Protection Officer (DPO): DPO is appointed to oversee the entire compliance process.
  7. The record of the entire data processing.
  8. Personal information management system (PIMS)
  9. The rights of data owners (subjects)
  10. Information security management system (ISMS).

GDPR compliance audit checklist as a table

Another method of simplifying the entire complex GDPR process, is to use a table, which is usually used by the actual third-party audit service providers.  The first part of this table is the so-called “introduction”, specifying the auditor’s name, the date of the audit itself, and a short description, as shown below:

General Data Protection Regulation Audit Checklist
Lead Auditor: [First & Least Name] Directions:
_________________
_________________
_________________
_________________
_________________
Audit Date: [Date], [Month] [Year]_
Audit Description: Ensuring alignment to GDPR by reviewing the policy and the procedure documentation.

 

While the above information is nothing significant in the overall auditing process, it does include some important information, like the lead auditor, specific directions, the purpose of the audit, and so on.

Next, we’ll go over the first chapter of a GDPR audit table, and highlighting some of the important parts in the process:

  1. Governance and Accountability
Article Recital Requirement Yes No N/A Auditor Notes Review Date
1.1 24 78 Do you have a Data Protection Policy? Yes     Data Protection aspects covered in multiple policies  
1.2     Do you have a Clear Desk Policy? Yes     Clear desk policy in place  
1.3     Do you have a Remote Access Policy? Yes     Within the Access Control Policy  
1.4 24 78 Do you have Data Breach Incident & Notification Policy & Procedures? Yes     Data breach policy and form  
1.5 24 78 Do you have a Records Management & Data Retention Policies? Yes     Documented record controls in place  
1.6

 

The above table shows just a small part of the first of many segments, titled “Governance and Accountability”. The number of segments and their contents may differ in some specific cases, but it’s possible to compile a standard list of “chapters” that this audit table might include, such as:

  1. Governance & Accountability
  2. DPO (Data Protection Officer)
  3. Privacy by design/Secure processing
  4. Founding principles/Processing activities
  5. DPIA (Data Protection Impact Assessments)
  6. Information disclosure/Consent
  7. Interactions with data subjects
  8. Data subject rights
  9. Third parties/Data sharing
  10. Competency/Training
  11. Monitoring/Auditing
  12. Breach management

At the end of the table, it’s common to include a small part that is filled out by the auditor only. This part includes two different questions about the completeness of the entire table and the set up of the actions that’ll follow (if necessary), as well as the signature of the lead auditor and the date of the auditing.

Additionally, one more table might be included in the “package”, listing various measures that’ll be taken as a result of the audit, if it was found that the current measures are insufficient for the complete GDPR compliance, then this table usually looks as per below:

GDPR Implementation Action Plan
Summary Correction/Mitigating control Responsible person Status Due date Completion status

 

Conclusion

Conducting a GDPR audit is the final step towards complying fully with GDPR. A GDPR audit is something that every company/business need to go through, and will determine whether you’re truly compliant with GDPR or not. Performing regular internal self-assessments is always recommended and should ensure that you meet all your GDPR requirements if an external GDPR audit is necessary.

Data Classification Guide

Outline the general framework of all the operations related to the data classification in your organisation.

Share This