Internal GDPR compliance audit – checklist

A GDPR compliance audit in a company

An internal GDPR compliance audit should take into account:

1. Organisational governance – internal GDPR compliance audit

In accordance with the GDPR, the processing of personal data must respect the following principles:

  • lawfulness, fairness, and transparency,
  • limitation of purposes of data processing,
  • data minimisation,
  • accuracy of data,
  • limitation of data retention,
  • data integrity and confidentiality,
  • accountability

They are based on the principle of liability. As a business, you become a data controller and must keep certain records to demonstrate compliance with data protection legislation.

The audit should cover the policies, procedures, oversight system and responsibility with regard to data protection across the organisation.

2. Risk management – internal GDPR compliance audit

Under the GDPR, organisations are required to use a risk-based approach to implement appropriate technical and organisational safeguards. In certain circumstances, this includes carrying out DPIAs (data protection impact assessments) – a type of risk assessment that identifies the risks and the consequences the processing may have on the security of personal data.

An internal GDPR compliance audit should also examine whether the information security management system includes an analysis of the risk to the rights and freedoms of individuals.

3. Auditing the processing of personal data across the organisation – internal GDPR compliance audit

Without support at the Management Board level, it will be very difficult or even impossible to conduct a GDPR compliance audit. Ensuring compliance with the GDPR requires support throughout the organisation and must be carried out at all of its levels.

The data protection audit should also examine to what extent the internal GDPR compliance audit project itself is adequately staffed, funded and supported, and whether the way it is set up allows for and supports the organisation’s ability to achieve its personal data protection objectives.

4. Data Protection Officer (DPO) – internal GDPR compliance audit

The GDPR requires the designation of the DPO:

  • where the processing is carried out by a public authority or body;
  • where the core activities of the organisation require regular and systematic monitoring of data subjects on a large scale; or
  • where the core activities of the organisation involve processing on a large scale of sensitive personal data or data relating to criminal convictions and offences.

In many cases, it is desirable to designate the DPO independently of the above legal requirement. The Data Protection Officer has the same legal status whether appointed voluntarily or compulsorily.

An internal GDPR compliance audit should determine whether a Data Protection Officer should be designated and whether they have been designated. If the DPO has been designated, the internal GDPR compliance audit should also examine whether the role is appropriately set up in the organisation and the designated individual is able to meet the requirements of the Regulation.

5. Staff roles and responsibilities – internal GDPR compliance audit

An internal GDPR compliance audit should examine to which extent employee roles and responsibilities are defined and established throughout the organisation. It should also review the data protection training and awareness-raising measures put in place by the organisation. The audit should also verify how roles and responsibilities are reflected in actual workflows, and examine employee onboarding and offboarding processes.

6. Analysis of work processes – internal GDPR compliance audit

In accordance with Article 30 of the GDPR, companies are required to maintain a record of all processing activities under their responsibility.

An internal GDPR compliance audit should take into account these provisions and determine how each of the data processing principles is being applied in individual work processes that involve personal data. This analysis should cover the legal basis of processing and verify for which processes a Data Protection Impact Assessment (DPIA) is mandatory and where it can help establish measures that fulfil the principles of data protection by design and by default.

7. Personal data protection management system – internal GDPR compliance audit

In order to demonstrate compliance with the GDPR, an organisation needs to present evidence of having in place protection processes, documentation of these protection processes in the form of a personal data protection policy, data breach notification procedure, instructions, procedures, data access requests, documentation on the conducted DPIAs, consent clauses and much more. The scale of security processes and documentation should correspond to the size and complexity of the organisation. The personal data management system should include training and awareness-raising processes for employees and contractors involved in data processing.

8. Information security management system – internal GDPR compliance audit

An internal GDPR compliance audit must examine whether the technical and organisational measures in place provide an adequate level of security of personal data processed in paper form or in electronic form in the company’s IT systems. This should include a review of security testing methodologies and the adopted cybersecurity standards and codes of practice. The international ISO 27001 standard and possible compliance certification may help determine the requirements for a company’s ISMS.

9. Rights of data subjects – internal GDPR compliance audit

Under the GDPR, data subjects have the following rights:

  • the right of access to data,
  • the right to rectification and erasure of data,
  • the right to restriction of processing,
  • the right to data portability,
  • the right to object to the processing of data,
  • specific rights related to automated data processing (including profiling).

The internal GDPR compliance audit should also include the verification of the processes put in place by the company to make it easier for data subjects to exercise these rights and to enable responding to them.

10. Scope of compliance with the GDPR

It is important that the extent of compliance with the GDPR is made clear in the audit results.

The final assessment of compliance with the requirements of the GDPR should cover all data processing in which the organisation acts as a controller or as a processor, as well as any activities consisting in making data available. In order to determine the extent of compliance, it is necessary to identify all data sets in which personal data are processed, all processing activities, and any extraterritorial/cross-border processing. An audit of the personal data protection system should examine these activities in detail.