What is a GDPR compliance audit?
A GDPR (General Data Protection Regulation) compliance audit is a systematic and independent assessment of an organisation’s compliance with the GDPR.
The purpose of a GDPR compliance audit is to help organisations ensure that they are meeting their obligations under the GDPR and to identify areas where they may need to make improvements.
Learn more about meeting your GDPR obligations
UK data protection law is currently being revised. We are following the progress of the Data Protection and Digital Information (No.2) Bill through parliament and will keep you updated on how it might affect your data processing obligations.
How often should a GDPR compliance audit be conducted?
There is no definitive answer to this question as it will depend on the size and complexity of the organisation, as well as the sector it operates in. However, we generally recommended that a GDPR audit be conducted at least once a year.
GDPR compliance audit checklist
A GDPR audit should cover the following ten areas:
Under the Regulation, personal data must be processed according to six principles:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality
These are underpinned by the principle of accountability. If you are a data controller, you must keep certain records to demonstrate your compliance.
An audit should consider the extent to which data protection accountability, responsibility, policies and procedures, performance measurement controls and reporting mechanisms are in place and operating throughout your organisation.
2. Risk management
Organisations must take a risk-based approach to implementing “appropriate technical and organisational measures”, which includes conducting DPIAs (data protection impact assessments) in certain circumstances. DPIAs are a type of risk assessment that identifies the risks to and likely effects of processing on the security of personal data.
A GDPR audit should examine:
- Whether privacy risk is included in your corporate risk register;
- What corporate arrangements for privacy risk management are in place;
- To what extent the corporate risk regime incorporates information-specific risks; and
- Which risks to the rights and freedoms of natural persons are addressed.
3. GDPR project
Your compliance project is much more likely to run into difficulties without board-level support. Complying with the GDPR requires effort across the whole organisation and must be led from the very top. An audit should examine the GDPR project to see if it is realistic and achievable.
4. DPO (data protection officer)
The GDPR requires the appointment of a DPO:
- Where processing is carried out by a public authority or body;
- Where the organisation’s core activities require regular and systematic monitoring of data subjects on a large scale; or
- Where core activities involve large-scale processing of sensitive personal data or data relating to criminal convictions or offences.
In many cases, it is desirable to appoint a DPO irrespective of the legal requirement to do so, although the DPO has the same legal status whether the appointment is voluntary or mandatory.
An audit should determine whether a DPO is mandatory, has been appointed, and is positioned appropriately and capable of delivering against the GDPR’s requirements.
Find out more about DPOs
5. Roles and responsibilities
An audit should examine the roles and responsibilities defined throughout the organisation, the training and awareness measures in place, and the effectiveness of onboarding and offboarding processes.
6. Scope of compliance
The scope of compliance must be clearly defined, taking into account all data processing in which the organisation is involved as a controller or processor, as well as any data-sharing activity.
All databases containing personal data, all processing activities and all extraterritorial/cross-border processing should be identified to determine the scope of compliance. An audit should examine these activities.
7. Process analysis
Article 30 of the GDPR requires controllers to maintain records of all processing activities. An audit should examine these records to determine how well each data processing principle is established for each process that involves personal data, taking into account the lawful bases for processing, any processes for which a DPIA is mandatory, and for which processes a DPIA might help establish data protection by design and by default.
8. PIMS (privacy information management system)
For most organisations, complying with the GDPR will require a lot of documentation, such as a data protection policy, data breach notification procedure, subject access request forms and procedures, DPIAs, and consent forms to demonstrate compliance. The size and complexity of your organisation determines the amount of documentation required.
A PIMS will order that documentation appropriately and should also address staff awareness training. ISO 27701 is the international standard that specifies the requirements for a PIMS and is aligned with the requirements of the GDPR.
Find out more about ISO 27701
9. ISMS (information security management system)
Do you have adequate security measures in place to protect personal data in hard copy or electronic form, or processed through your systems? This should include a review of methodologies for testing security, and established cyber security certifications, standards and codes of practice.
The international standard ISO 27001:2013 sets out the requirements of an ISMS, against which organisations can achieve independently audited certification to demonstrate their compliance.
Find out more about implementing an ISO 27001-compliant ISMS
10. Rights of data subjects
Under the GDPR, data subjects have the following rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision-making and profiling
To what extent have you implemented processes that enable you to both facilitate and respond to data subjects exercising any or all of these rights?