A GDPR audit is a thorough examination of your organisation’s data processing activities to check compliance with the General Data Protection Regulation (GDPR).
The aim of an audit is to identify any gaps or risks in your organisation’s data protection practices, so improvements can be implemented. This helps to avoid potential fines, legal liabilities, and reputational damage that could arise from data breaches and non-compliance.
Here we discuss the implications of GDPR and how to carry out a comprehensive internal audit.
What are the key principles of GDPR?
There are seven key principles that form the foundation of GDPR. These principles require organisations to make sure data is kept securely, that data collection is transparent and honest, and that individuals have control over the data that is collected about them.
Please read our article, Understanding GDPR data protection principles: a comprehensive guide to understand how these principles affect your organisation.
What data must be protected under GDPR?
Under GDPR, the data that must be protected includes any information that can be used to directly or indirectly identify someone. This ‘personal data’ encompasses a wide range of data types, including:
Basic identity information:
- Names
- Addresses (both physical and email)
- Phone numbers
- Identification numbers (for example, national ID numbers, passport numbers)
Web data:
- IP addresses
- Cookie identifiers
- Location data
- RFID tags
Health information:
- Medical records
- Health-related data
- Genetic and biometric data that can uniquely identify an individual
Financial information:
- Bank account details
- Credit/debit card information
- Financial transactions
Employment information:
- Job titles
- Salary information
- Employment history
- Performance evaluations
Cultural and Social Identity Information:
- Religious beliefs
- Political opinions
- Sexual orientation
- Ethnic background
This protection also extends to special categories of personal data, which require additional safeguards.
Special category data (or ‘sensitive data’) includes information related to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, and data concerning a person’s sex life or sexual orientation.
Special category personal data can only be processed if specific conditions are met.
GDPR compliance audit checklist
This GDPR checklist should be tailored to the specific needs and context of your organisation. Regular updates and reviews are essential to maintain GDPR compliance.
The Information Commissioner’s Office also offers free data protection self-assessment downloads and information on how to be GDPR compliant.
- Data mapping and inventory
- Identify and document all personal data collected, processed, stored, and shared.
- Create a data flow map to understand how personal data moves within the organisation and with third parties.
- Ensure all data processing activities are recorded, including the purpose and legal basis for each.
- Legal basis for processing
- Verify that each data processing activity has a lawful basis (for example, consent, contract, legal obligation).
- Ensure explicit consent has been obtained where necessary and maintain records of consent.
- Review and update data processing agreements with third parties to ensure compliance with GDPR.
- Data subject rights
- Implement procedures for handling data subject requests (access, rectification, erasure, restriction, portability, objection).
- Ensure processes are in place to respond to data subject requests within the GDPR-mandated time frame (usually one month).
- Verify that data subjects are informed of their rights in privacy notices.
- Data protection policies and procedures
- Review and update privacy policies to ensure they are GDPR-compliant and transparent.
- Ensure a data protection officer (DPO) is appointed, if required, and that their role is clearly defined.
- Conduct regular data protection impact assessments (DPIAs) for high-risk processing activities.
- Implement and document a GDPR training program for all employees.
- Data security
- Assess and document the technical and organisational measures in place to protect personal data (for example, encryption, access controls).
- Regularly test and update security measures to address new risks and vulnerabilities.
- Ensure there is an incident response plan for data breaches, including notification procedures to relevant authorities and data subjects.
- Data retention and deletion
- Establish and document data retention policies, ensuring data is not kept longer than necessary.
- Implement procedures for securely deleting or anonymising personal data that is no longer needed.
- Review data archives and backup systems to ensure compliance with retention and deletion policies.
- Third-party management
- Audit third-party processors to ensure they comply with GDPR requirements.
- Ensure data processing agreements with third parties include GDPR-compliant clauses.
- Verify that third-party access to personal data is limited to what is necessary for the performance of their services.
- Record keeping
- Maintain records of processing activities as required by GDPR, including data categories, purposes, and recipients.
- Ensure that documentation is sufficient to demonstrate compliance in case of an audit by regulatory authorities.
- Regularly review and update records to reflect any changes in processing activities.
- International data transfers
- Ensure that data transferred outside the EU is protected by appropriate safeguards (for example, standard contractual clauses or binding corporate rules).
- Review and update contracts to ensure compliance with GDPR requirements for international data transfers.
- Assess risks associated with international data transfers and implement mitigation measures.
- Ongoing monitoring and improvement
- Schedule regular internal audits to ensure continuous compliance with GDPR.
- Implement a mechanism for reporting and addressing non-compliance issues.
- Stay informed about updates to GDPR and adapt policies and practices accordingly.
Who can conduct an internal GDPR audit?
If your organisation is required to have a data protection officer (DPO) under GDPR, this person will have the expertise to conduct an internal data protection audit.
The person conducting the audit should not only have expertise, but they must not be directly involved in the day-to-day data processing activities being audited. It is important to maintain a level of independence and objectivity.
UK GDPR training & awareness for employees
Checking that employees understand how GDPR principles apply to their roles and the organisation as a whole is a key aspect of a GDPR audit.
Our UK GDPR Training and Awareness course provides employees and managers with a comprehensive understanding of GDPR data protection principles, promoting best practices in data handling and management.
Find out more about the UK GDPR Training and Awareness course on our website, or contact our friendly team today on 0203 011 4242/info@praxis42.com
Tom Paxman
Managing Director (Digital)
