How To Perform GDPR Audit (Best Guide In 2020)

What is a GDPR audit?

How to perform a GDPR audit?

Where can you find the best guide in 2020 to know what to do?

Worry no more!

In this article, we will provide you with all the essential information you need to perform a GDPR audit and understand the objective of the GDPR audit.

We will also provide you with a useful GDPR audit checklist downloadable document to help you in the process.

Are you ready?

Let’s get started!

What is a GDPR audit?

A GDPR audit is intended to investigate and validate whether or not an organization has implemented the technical and organizational measures, policies and procedures to comply with the data privacy and data protection requirements of GDPR.

The central focus of a GDPR audit is the compliance with the GDPR regulation relating to the processing of personal data.

Typically, the audit’s aim is to ascertain that the company has:

  1. Proper safeguards to protect personal data
  2. Adequate policies and procedures with regards to data privacy and data protection
  3. Mechanisms in place to monitor and enforce its procedures
  4. Assessed the adequacy of its internal controls
  5. The ability to detect possible personal data breaches

Scope of a GDPR audit?

The scope of the GDPR audit is mutually determined by the auditor and the organization.

Each organization may process personal data in a different way and be exposed to a different level of compliance risk.

Are you a data controller?

Are you a data processor?

As such, the company stakeholders and auditors will determine what can be the data protection risks within the organization so as to properly scope the audit process.

Fundamentally, the audit process will help an organization validate whether they have implemented best practices to comply with GDPR, are processing data in accordance with GDPR requirements or their agreements.

How to audit for GDPR compliance?

You are subject to GDPR and you want to ensure that you have the proper measures to comply with the GDPR requirements.

To do that, you’ve decided to perform a GDPR compliance audit.

But how do you do your GDPR audit?

Here is a quick overview of how you will need to perform your audit:

  1. What personal data is collected?
  2. Is the personal data necessary for your purpose?
  3. Do you have a lawful basis for processing personal data?
  4. What personal data is stored and where?
  5. How can you protect the personal data?
  6. How long is the personal data needed for its purpose?
  7. Are there processes in place to allow data subjects to exercise their rights?
  8. Are there processes in place to delete data no longer needed?
  9. Do you have data breach notification mechanisms in place?

Let’s look at each of these aspects for more detail.

What personal data is collected?

The first question to answer during an audit process is to determine what is the nature of personal data that is being collected by the organization.

This is an important question as it will allow you to qualify the personal data that you are collecting.

Under GDPR, there are two categories of personal data: (1) personal data and (2) special categories of personal data.

Personal data are pieces of information that allow a natural person to be identified such as:

  1. Name
  2. Address
  3. Email 
  4. IP address
  5. Online cookies
  6. National identification numbers 

Special categories of personal data represent more sensitive personal data relating to a natural person, such as:

  1. Racial or ethnic origin
  2. Political opinions
  3. Religious or philosophical beliefs
  4. Trade union membership 
  5. Genetic data
  6. Biometric data
  7. Health data 
  8. Data about a person’s sex life or orientation

Depending on the category of personal data collected by a company, the GDPR compliance requirements can vary.

The audit will identify all sources or channels through which your organization may be collected personal data.

It can be through your company website, by email, online forms or other channels.

Depending on your company’s legitimate interests and reasonable needs, you’ll get a sense as to what you are collecting, do you have a lawful basis to collect the data and if you are complying with the data minimization principle.

Is the personal data necessary for your purpose?

The logical question after you’ve identified what type of personal data you collect is to determine if you need all the personal data to achieve your purpose.

In the past, companies adopted a “let’s collect everything for now and we’ll see what we need in the future”.

That mentality can no longer work.

Companies cannot collect everything now and figure it out later.

During the audit process, one objective will be to determine whether you actually need every piece of personal data collected.

Remember that GDPR requires personal data to be collected for a lawful purpose.

In other words, every piece of personal data collected on a data subject should be justified by an underlying purpose.

If you do not have a purpose for the personal data, you cannot collect it and you must delete it.

Do you have a lawful basis for processing personal data?

You’ve determined the nature of personal data collected and you validated that you do have a need to collect the data.

Now, you need to audit whether you can associate your company’s needs and purpose to a lawful basis under GDPR.

As an extreme example, if a company is processing personal data for criminal purposes, even though a company believes that it has a need or purpose to collect the data, it does not mean that the processing is lawful.

What is the legal basis for collecting personal data?

Are you collecting personal data based on your legitimate interest?

Is data collected based on the data subject’s consent?

If data is collected based on the data subject’s consent, did you obtain consent for each data processing activity?

Can you prove that you did get consent?

What personal data is stored and where?

Once you’ve identified what personal data is being collected, the next step is to understand what personal data is stored and where.

Is your company storing personal data in a central database?

Is personal data stored in email accounts?

What systems are being used to store personal data?

Where is the personal data stored?

Do you store personal data in a country or territory outside of the European Union?

Do you have backups?

Having a good understanding of where your personal data is stored is crucial for GDPR compliance.

During this process, you can determine if you are transferring data outside of the European Union, how secure is the data when stored, do you have proper systems in place for storing data and preventing unauthorized access, do you protect against loss of data and so on.

How can you protect the personal data?

The next important question is how are you protecting the personal data in your possession?

Are your systems secure?

Do you have policies and procedures in place to prevent unauthorized access to the data?

Is data anonymized or pseudonymized for greater security?

Are you encrypting your data in its transmission?

The audit should help you identify potential data compliance gaps with respect to technical and organizational measures implemented to protect personal data.

How long is the personal data needed for its purpose?

Companies are required to process personal data for the time necessary to achieve its purpose.

After the purpose has been achieved, personal data must be deleted.

For how long do you need to keep the personal information?

That will depend on your company’s specific data processing operations and needs.

Since GDPR does not define what is considered a necessary period to retain personal data, companies must evaluate their data processing operations and establish a data retention policy.

The GDPR audit will consider the nature of the data processed, the sensitivity of the data and how long each category of data is kept.

Are there processes in place to allow data subjects to exercise their rights?

One fundamental objective of GDPR is to empower data subjects so they can take control of their personal data.

To that end, GDPR has granted data subjects important rights such as:

  1. Right to access
  2. Right to be forgotten or erasure 
  3. Right to object
  4. Right to restrict processing
  5. Right to data portability 
  6. Right to be informed

A good GDPR audit will assess whether or not your organization has implemented mechanisms, processes and procedures to handle data subject requests (also called subject access requests).

How do data subjects exercise their rights?

Do you have someone appointed to handle such requests within the GDPR timelines?

Are you able to comply with a data subject’s request in a timely fashion?

These are important verification points in the context of a GDPR audit.

Are there processes in place to delete data no longer needed?

At the end of the data processing lifecycle, an organization must delete the personal data.

When the purpose of the data collection has been achieved and when the company has retained the personal data for a legitimate reason following the attainment of the purpose, a company must delete personal data.

Deleting data that is “no longer necessary” is a mandatory requirement under GDPR.

To ensure compliance with this obligation, companies must determine how are they archiving their personal data?

How secure are the archiving systems used by the company?

Is the company archiving all types of data for the same amount of time or is there a different retention policy applicable per category of personal data or nature of personal data?

How safely is the company deleting the data?

Is the data permanently deleted or can it be restored?

A company must ensure that it permanently deletes data that is no longer necessary.

For how long should the company retain each type of data?

Do you have a lawful basis for processing personal data?

In the event of data breaches with potential consequences or harm on data subjects, companies must report the breach to their supervisory authority.

If the data breach can result in a likely high risk to the rights and freedoms of data subjects, they must also notify the data subjects directly.

During the GDPR audit process, it’s important to investigate the mechanism implemented by an organization to comply with such data breach notification to the supervisory authorities and communication to data subjects.

Note that this obligation applies to data controllers although data processors have notification obligations as well.

Do you have a process in place to notify the data supervisory authorities within 72 hours of discovering a data breach?

Do you know which supervisory authority to report the incident to?

What do you evaluate to determine if there is a likely risk to data subjects?

GDPR audit objectives

Every GDPR audit should have clear objectives for it to be meaningful and effective.

Organizations subject to GDPR can face hefty fines if they are found to be in breach of the regulation.

To avoid such costly penalties, companies are better off taking preventive measures to mitigate their compliance risk.

One sure way to mitigate risk is to perform a GDPR audit.

What are the objectives pursued when performing a GDPR compliance audit?

Generally, companies should pursue the following objectives:

  1. GDPR governance and documentation
  2. Risk management measures
  3. Data protection officer appointment
  4. Roles and responsibilities within the organization
  5. Analysis of procedures and processes
  6. Technical and organizational security measures
  7. Exercise of data subject rights 

Let’s look at each of these objectives briefly.

GDPR governance and documentation

Companies need to comply with GDPR and prove their compliance.

An important objective of an audit is to validate the company has a lawful basis for processing personal data, the extent to which a company has documented its requirements and has measures in place to comply with GDPR.

Risk management measures

An important audit consideration is how well is a company managing risk.

GDPR requires that organizations take a risk-based approach in evaluating risk depending on the nature of personal data collected, the processing operations and risk to data subjects.

If a data protection impact assessment is needed, has the company performed it?

Data protection officer appointment 

GDPR requires that companies processing data in a certain way mandatorily appoint a data protection officer or DPO, namely:

  1. When a company regularly and systematically monitors data subjects on a large scale
  2. When a company processes sensitive data on a large scale or data relating to criminal convictions or offences 

The audit process can reveal whether a company may need to appoint a data protection officer or not.

Roles and responsibilities within the organization

Companies are required to adopt data protection and data privacy measures throughout the organization.

In fact, GDPR even requires data privacy by design.

The audit process will look at how a company has delegated responsibilities within its organization to comply with GDPR, are the employees trained and sensitive to data privacy.

Analysis of procedures and processes

Under GDPR, companies are required to implement procedures and processes to comply with GDPR.

These processes must be documented and properly recorded within the organization.

An objective of the audit is to ensure that the processes are aligned with the company’s data processing needs.

Technical and organizational security measures

A crucial aspect of a GDPR audit is to ensure that the organization has implemented the right technical and organizational measures to protect and safeguard personal data.

What systems are being used?

How secure are the systems?

Does the company regularly test its infrastructure for security?

Does the company comply with codes of conduct, industry standards or codes of practice?

Security should be an important part of the GDPR compliance audit.

Exercise of data subject rights

Another important objective of the compliance audit is to ensure that a company has taken the proper measures to allow data subjects exercise their rights under GDPR.

GDPR audit checklist

You can use our GDPR audit checklist to get you started and ensure you have what it takes to comply with your GDPR obligations.

Takeaways 

A GDPR audit is intended to investigate and validate whether or not an organization has implemented the technical and organizational measures, policies and procedures to comply with the data privacy and data protection requirements of GDPR.

Typically, the audit’s aim is to ascertain that the company has:

  1. Proper safeguards to protect personal data
  2. Adequate policies and procedures with regards to data privacy and data protection
  3. Mechanisms in place to monitor and enforce its procedures
  4. Assessed the adequacy of its internal controls
  5. The ability to detect possible personal data breaches

This article should serve as your guide on how to perform a GDPR audit.  

Here is a quick overview of how you will need to perform your audit:

  1. What personal data is collected?
  2. Is the personal data necessary for your purpose?
  3. Do you have a lawful basis for processing personal data?
  4. What personal data is stored and where?
  5. How can you protect the personal data?
  6. How long is the personal data needed for its purpose?
  7. Are there processes in place to allow data subjects to exercise their rights?
  8. Are there processes in place to delete data no longer needed?
  9. Do you have data breach notification mechanisms in place?

You can use our GDPR audit checklist to help you get started!

Good luck!!

GDPR Audit Checklist