GDPR Audits: 5 Crucial Steps

Discover the 5 steps for completing a GDPR audit.

Person auditing documents with a iPad next to them

GDPR audits are the only way to check that your organisation is fully GDPR compliant. 

You should complete a GDPR audit annually. A lot can change in a year. You might start using new data capture processes, or new management software, or there could be changes in regulations.

In our GDPR audits checklist, we explained the most important areas to assess in a GDPR audit. In this article, we look at the process of conducting a GDPR audit. 

We have extensive experience conducting GDPR audits for a diverse variety of organisations across private businesses, the public sector and charities. While we shape each audit around the organisation’s unique needs, every GDPR audit will feature these five crucial steps.

1. Planning and Preparation

We’ll work with you to understand your organisation and define the scope and objectives of your GDPR audit. This will help us identify the systems, processes and data flows we need to map, assess and test. We’ll also collect documentation – like your data processing policies and procedures. 

2. Data Mapping 

Personal data is information that can identify individuals and ranges from names and addresses to video footage. GDPR applies to all personal data your organisation holds, whether it’s about your employees, customers or third parties.

Data mapping captures how all personal data flows through your organisation’s ecosystem. Documenting this is a core part of GDPR compliance. Our auditors will build a comprehensive map of the personal data your organisation collects, stores and processes:

  • Identifying and documenting the types of personal data you collect
  • Defining the purpose for handling each data category
  • Assessing the lawful basis for processing 

3. Assessment and Testing

We start by evaluating your data protection policies, procedures and practices against GDPR requirements. Then assess the effectiveness of measures you have in place to protect personal data. Our technical testing will include audits of network security, encryption protocols and data retention policies. 

If you hold someone’s data and they ask you to provide or delete it, this is known as a Subject Access Request or SAR and you need robust processes to respond. Of course, you also need these systems in case of a data breach or security incident. We will assess and test your SAR and incident procedures.

4. Reporting and Recommendations

We will prepare a formal audit report, highlighting any areas of non-compliance or gaps in your data protection – as well as the practices you’re doing well. Based on our findings at the assessment and testing stage, we’ll develop a recommended action plan of corrective steps and enhancements.

5. Optimisation and Continuous Improvement

You might see this step referred to as ‘remediation’, but at Data Protection People, we go beyond fixing problems to enhance your data protection. We work with you to implement your action plan, updating your policies, practices and controls to ensure complete GDPR compliance. 

It’s crucial to continually monitor your data protection practices between your annual GDPR audits. This is the responsibility of your Data Protection Officer (DPO). To take the pressure off, we can provide an expert outsourced DPO for your organisation.

GDPR compliance extends beyond the wording of policies and digital controls. Everyone at your organisation is responsible for following data protection regulations. So ensure you’re regularly educating your teams, and talk to us about our GDPR training.

Book Your GDPR Audit Today

At Data Protection People our mission is to eliminate the confusion around data protection. Whether you’re a micro-business or a multi-national, we have the expertise to help you achieve GDPR compliance – and understand it.

Contact the team to learn more about GDPR audits