2025: A new ambition for MDS.   Discover our strategy and innovations soon. In the meantime, explore our vision

contact an expert
5-étapes-pour-réaliser-un-audit-RGPD

5 steps to perform a GDPR audit

Audit of all the organization’s tools

The first phase of this audit consists of identifying all the tools that may contain personal data.

This audit involves identifying:

✅ All information systems and data flows

In this step, it is essential to list all the tools, software and databases used in the context of professional activity: payroll software, CRM, project management, marketing campaigns, website analysis, financial software, etc.

Data is omnipresent and its location in the company’s information system can sometimes be complex. It is necessary to draw up an exhaustive list of all digital tools, as well as non-digital media such as paper forms, for example.

In addition, it is essential to list all data flows between the company’s different systems, as well as with external systems. It is necessary to identify the interfaces, the APIs (Application Programming Interface) allowing the exchange of data between different tools, file exports and email flows.

This analysis of the tools makes it possible to determine the location of the data and their circulation within the organization.

✅ The types of data contained in these tools

For each tool or software listed, it is necessary to identify the data stored there, with particular emphasis on personal data.

The GDPR defines personal data broadly (article 4 of the GDPR), encompassing all information relating to an identified or identifiable natural person, directly or indirectly.

Some personal data is easily identifiable, such as the name or first name. Other data, called “indirect”, such as a telephone number, a customer number or a date of birth, also allow the identification of a person. All this data is protected by the GDPR.

On the other hand, data relating to companies, considered as legal persons, are not affected by the GDPR, with the exception of information relating to the identity and contacts of natural persons with whom a company interacts in a B2B (Business to Business) context.

Audit of personal data collection mechanisms

✅ You have established a complete list of all your tools.

✅ You have identified the locations where personal data is stored.

🔜 Now, you need to identify the sources of data collection.

This step involves reviewing and analyzing the different sources of data collection used in your organization. All means of data collection must be listed.

It is important to remember that the collection of personal data must be based on one of the six legal bases established by the GDPR (Article 6 of the GDPR). For each method of data collection, the GDPR auditor verifies the collection method and ensures that it complies with the GDPR.

In summary, the audit of collection mechanisms aims to identify:

  • Each source of collection of personal data: online forms, paper forms, cookies on the website, data collected by telephone, etc.
  • Whether the data was collected based on one of the following legal bases:
    • The contract,
    • Consent,
    • Compliance with a legal obligation,
    • The legitimate interest of the data controller,
    • The exercise of a mission of public interest or relating to the exercise of official authority,
    • The protection of the vital interests of the data subject.

Most of the time, the legal basis used for the collection of personal data is consent (Article 7 of the GDPR). It is therefore essential to ensure that you have proof of the consent of the persons concerned for each personal data collected.

Audit of personal data processing

The next step in the audit is to examine in detail why and how personal data is used within the organization.

Indeed, the GDPR requires that you:

  • Draw up an exhaustive list of all data processing operations, including collection, recording, consultation, use, disclosure by transmission, dissemination, profiling, etc.
  • Describe the purposes of each processing operation.
  • Identify the duration for which the data is processed.
  • Indicate who has access to this data.
  • Mention any transfer of this data outside the European Union, if applicable.

In summary, this step involves identifying:

  • The purpose of the data: why is it collected? For what purpose is it used?
  • The different data processing operations carried out: how is this data used in practice? What operations are carried out on this data?
  • In accordance with Article 30 of the GDPR, each organisation is required to record in a register of processing of personal data all activities relating to this data.

👉 If you already have a register of processing operations, it is necessary to audit it to ensure that it contains all the required information and that no processing of personal data has been omitted.

Data Security Audit

This technical audit aims to identify and analyze the risks weighing on personal data stored in databases, tools, servers, networks, as well as on workstations such as computers, tablets and smartphones.

The personal data security audit includes in particular:

  • The level of awareness of users: this involves assessing the information and awareness of people handling the data, as well as drafting an IT charter.
  • The authentication policy of users: this includes limiting the number of accesses to an account and adopting a password management policy in accordance with the recommendations of the CNIL.
  • The management of authorizations: this includes the removal of obsolete accesses, periodic audits of authorizations and the definition of confidentiality perimeters.
  • The security of workstations: this involves the automatic locking of sessions, the use of antivirus software and the installation of a firewall.
  • The security of mobile workstations: this includes the regular backup and synchronization of data, the use of mobile device encryption methods, and the use of a secret code to unlock professional smartphones.
  • Protecting the internal IT network: this involves securing remote access, implementing the WPA2 or WPA2-PSK protocol for Wi-Fi networks.
  • Securing networks: this includes the time taken to install critical updates and access to administration tools and interfaces.
  • Securing websites: this involves controlling inputs, using the TLS protocol, and displaying a cookie consent banner.
  • Providing regular backups to enable business continuity in the event of a data breach.

All aspects of data security must be inspected. It is recommended to plan intrusion tests, to audit the procedures to follow in the event of a data leak, as well as the methods of anonymization and/or pseudonymization of data.

This audit makes it possible to identify the points for which security is not ensured.

The GDPR audit report

At the conclusion of the GDPR audit, a report is written. This document lists:

  • Points that comply with the requirements of the GDPR;
  • Points that do not comply with the requirements of the GDPR;
  • And recommendations for corrective measures.

The GDPR audit report aims to establish a comprehensive map of personal data and its processing within the organization.

All the information compiled in this report makes it possible to identify the weak points of your GDPR compliance. It serves as a basis for developing the GDPR compliance action plan.

This action plan aims to:

  • List security issues concerning personal data;
  • Ranking these risks in order of priority, according to their seriousness for the company;
  • Identifying corrective actions to be implemented, while respecting a schedule based on their urgency.

Periodically carrying out a GDPR audit is essential to maintain your GDPR compliance!

Key GDPR Principles for Compliance Review

Ensuring compliance with the GDPR (General Data Protection Regulation) requires a thorough understanding of its core principles. Here’s a concise guide to the critical areas that require review:

  1. Lawfulness, fairness, and transparency: Verify whether data collection and processing activities are carried out lawfully. This means acquiring consent through clear communication and ensuring transparency about how and why personal data is used.
  2. Data minimization: Assess whether your organization is only collecting the data it needs to. This principle emphasizes the importance of collecting only what is necessary for the intended purposes, avoiding excess.
  3. Purpose limitation: Confirm that data is processed for legitimate purposes specified at the time of collection and not for other unrelated reasons.
  4. Retention limitation: Verify that data is not retained for longer than necessary. Implement policies to ensure that data retention periods are strictly adhered to, in line with business needs.
  5. Integrity and confidentiality: Ensure that appropriate security measures are in place. This includes both technical and organizational safeguards to prevent unauthorized access, data breaches, or loss.

By carefully reviewing these principles, you can ensure that your organization aligns effectively and efficiently with GDPR regulations.

How to Conduct a GDPR Internal Audit for Data Protection Compliance

Conducting a GDPR internal audit is crucial to ensuring your organization is meeting the legal requirements of personal data protection regulations, such as the GDPR.

Step 1: Preparation

Start by clearly defining the objectives of your audit. Are you checking compliance, assessing risks, or looking to improve internal data protection processes? Clarifying this will define the scope of the audit, covering the departments involved and the types of personal data involved.

Form an audit team with a designated leader, ideally a Data Protection Officer (DPO) or similar role. Include members with security and risk management expertise to ensure comprehensiveness.

Step 2: Information Collection

In this phase, collect comprehensive data on how personal information is processed within your organization. Document all types of data collected, especially sensitive data, as well as their purposes, legal bases, and how they are shared.

Review existing documents such as privacy policies, consent forms, and contracts with data processors. Inspecting data processing records and Data Protection Impact Assessments (DPIAs) is essential to ensure complete documentation.

Step 3: Compliance Analysis

Review whether your organization complies with GDPR principles, such as lawfulness, fairness, and transparency in data processing. Ensure that data collection is minimal and the retention period is appropriate. Review the adequacy of security measures in place to protect personal data.

Additionally, review protocols to honor individuals’ rights, such as access, rectification, erasure, and data portability. Ensure they are clearly communicated and effectively implementable.

Step 4: Risk Assessment and Security Measures

Conduct a risk assessment focused on identifying potential threats to data privacy. Analyze the risks associated with data processing, considering the likelihood and severity of potential privacy impacts.

Review technical and organizational measures protecting personal data. Test your incident response plans and data breach reporting procedures to confirm their effectiveness and clarity within the organization.

Step 5: Audit Report

Conclude the audit by writing a detailed report, identifying any deviations from GDPR requirements and the associated risks. Provide specific recommendations to address non-compliance and improve data protection practices. This report should guide your organization toward improved privacy strategies.

By following these structured steps, your GDPR internal audit can comprehensively ensure compliance and strengthen your organization’s data protection framework.

Managing and Verifying Data Subject Rights in a GDPR Audit

During a GDPR audit, it is crucial to thoroughly assess how data subject rights are managed and verified. Here is a step-by-step approach to ensure compliance and effectiveness:

  1. Review Internal Procedures: Start by reviewing your organization’s internal procedures regarding data subject rights. This includes the right to access, rectification, erasure (right to be forgotten), objection, and data portability. Ensure that each procedure is properly documented and consistently applied.
  2. Clear and Accessible Information: Ensure that information regarding these rights is clearly communicated to data subjects. This can be achieved through accessible privacy policies and notices on your website and other platforms.
  3. Rights Framework: Establish an effective framework to facilitate the exercise of these rights. This involves putting in place user-friendly mechanisms for data subjects to submit requests without undue delay or complexity.
  4. Training and Awareness: Ensure that all relevant staff, including customer service and IT teams, are well trained in these procedures. Regular training sessions will help maintain a high level of awareness and preparedness to handle requests.
  5. Efficiency and Speed: Implement processes to ensure that requests are handled promptly, typically within the one-month time limit imposed by the GDPR. Consider investing in automated systems to streamline request processing and tracking.
  6. Audit and Record Keeping: Keep a detailed record of all requests and how they were processed. This provides proof of compliance and can be invaluable during an audit. Use tools that record requests, actions taken, and response times.

Reviewing and updating these practices regularly can help maintain compliance and build trust with data subjects. By proactively managing these aspects, you can mitigate the risks associated with GDPR non-compliance.

To effectively scope a GDPR audit, start by clearly identifying the specific areas you need to assess. This involves defining which services and departments will be audited. Make a list to ensure a complete overview:

  • Identify departments: Start with an inventory of all departments in your organization that handle personal data. This may include marketing, human resources, customer service, and IT.
  • Determine key departments: Specify the departments that involve data processing or storage. Consider both internal and external departments, ensuring that you capture a complete picture of data management.
  • Catalog personal data types: List the types of personal data processed, such as names, email addresses, and financial information. Consider both digital and physical records.

Once you have this information, prioritize the areas where the risk of non-compliance is highest. This prioritization may be based on the volume or sensitivity of the data processed.

Leverage Data Mapping: Use data flow diagrams to visualize how personal data flows through your organization. This can help identify potential compliance gaps and ensure that all data journeys are included in the audit scope.

By following these steps, you will create a solid framework for your GDPR audit, ensuring that no critical aspect is overlooked.

Conducting a GDPR Audit: Essential Resources to Simplify the Process

To ensure your organization is on track with GDPR compliance, leveraging available resources can simplify and improve your audit efforts. Here’s a look at some helpful tools:

1. Comprehensive Checklists

  • GDPR Audit Checklist: A step-by-step guide that ensures every aspect of the audit is covered. Available from a variety of sources, these checklists help keep your audit organized and comprehensive.
  • IT Governance GDPR Checklist: Offered by IT experts, this checklist helps navigate technical compliance.

2. Specialised audit tools

  • OneTrust and TrustArc: These platforms offer software tools that automate parts of the GDPR compliance process, making it easier to track progress and identify gaps.

3. Guides and templates

  • ICO GDPR Guide: The Information Commissioner’s Office provides a detailed guide that walks you through the requirements and expectations of the GDPR.
  • Sample Data Protection Impact Assessment (DPIA): This template helps assess the risks associated with data processing activities.

4. Educational Resources

  • Webinars and Online Courses: Platforms like Coursera and LinkedIn Learning offer courses to deepen your understanding of GDPR compliance.
  • E-Books and Whitepapers: Explore in-depth information and strategies from data protection experts.

By using these resources, your organization can more effectively navigate the GDPR audit process, reducing the risk of oversight and improving overall compliance.

Qui devrait faire partie de l’équipe menant un audit RGPD ?

Constituer la bonne équipe est crucial pour réussir un audit RGPD. Commencez par nommer un chef d’équipe pour superviser l’ensemble du processus. Il peut s’agir du Responsable de la Protection des Données ou d’une personne affectée aux rôles de protection des données au sein de l’organisation.

Membres clés de l’équipe :

  • Spécialistes de la protection des données : Essentiels pour comprendre les exigences de conformité et les détails des lois sur la protection des données.
  • Experts en sécurité : Professionnels capables d’identifier les vulnérabilités et de proposer des améliorations en matière de sécurité.
  • Professionnels de la gestion des risques : Personnes capables d’évaluer et de gérer les risques potentiels associés au traitement des données.

En réunissant un groupe diversifié avec ces compétences, l’équipe peut naviguer efficacement dans les exigences complexes d’un audit RGPD, en veillant à ce que tous les aspects de la protection et de la confidentialité des données soient minutieusement examinés.

Who should be part of the team conducting a GDPR audit?

Building the right team is crucial to a successful GDPR audit. Start by appointing a team leader to oversee the entire process. This could be the Data Protection Officer or someone assigned to data protection roles within the organization.

Key Team Members:

  • Data Protection Specialists: Essential for understanding compliance requirements and the details of data protection laws.
  • Security Experts: Professionals who can identify vulnerabilities and propose security improvements.
  • Risk Management Professionals: Individuals who can assess and manage potential risks associated with data processing.

By bringing together a diverse group with these skills, the team can effectively navigate the complex requirements of a GDPR audit, ensuring that all aspects of data protection and privacy are thoroughly examined.

Risk Assessment in the Context of GDPR

Risk assessment within the framework of the General Data Protection Regulation (GDPR) is essential for protecting personal data. This process begins with identifying potential threats to individuals’ privacy. To effectively assess these risks, consider the following steps:

  1. Threat Identification: Identify potential dangers that data processing activities may pose to privacy. This involves understanding the nature of the personal data being processed and the specific contexts in which they are used.
  2. Risk Analysis: Evaluate the likelihood and severity of each identified threat. This involves considering how frequently a risk might occur and the extent of its impact on individuals’ privacy.
  3. Evaluation of Protective Measures: Assess existing technical and organizational measures. These measures aim to prevent data breaches and ensure data security. For example, encryption, access controls, and employee training are common measures. Verify if these measures are strong enough to mitigate identified risks.
  4. Testing Incident Response Plans: Regularly test incident response strategies, including data breach notifications, to ensure their effectiveness. Ensure that every member of the organization thoroughly understands these procedures and can act quickly in case of a breach.

By systematically evaluating these components, organizations can improve their data protection practices and reduce the potential for data breaches, aligning their operations with GDPR requirements.

Managing Individuals’ Data Rights: A Comprehensive Overview

To effectively manage the rights of individuals whose data is being processed, it is essential to focus on several key procedures. Here is an overview of the crucial steps involved:

  1. Understanding Key Rights: Begin by identifying the fundamental rights that individuals have, including:
    • Access: Individuals have the right to know what personal data is being collected and how it is used.
    • Rectification: They can request corrections to any inaccurate personal information.
    • Erasure: Also known as the right to be forgotten, individuals can request the deletion of their data under certain conditions.
    • Objection: Individuals can object to data processing activities, especially when it involves direct marketing.
    • Data Portability: Individuals can request their data in a structured, commonly used, and machine-readable format for transfer to another service provider.
  2. Clear Communication: Ensure that information about these rights is easy to understand and readily accessible. This may involve comprehensive privacy notices or detailed FAQs on your website.
  3. Streamlined Procedures: Establish clear and efficient procedures for individuals to exercise their rights. This could include providing online request forms or the contact details of a dedicated privacy officer.
  4. Prompt Responses: Develop a policy for responding to data requests quickly, typically within the legally required timeframe, usually 30 days.
  5. Verification Mechanisms: Implement methods to verify the identity of individuals making requests to prevent unauthorized access to data.
  6. Training and Awareness: Regularly train your team on these rights and procedures to ensure consistent and lawful handling of requests.

By following these structured procedures, organizations can effectively manage individuals’ data rights, fostering trust and compliance with data protection regulations.

Why is it Important to Define the Scope of a GDPR Audit and What Should It Include?

Defining the scope of a GDPR audit is essential for a successful evaluation of an organization’s data protection practices. By clearly setting boundaries, you can ensure that all necessary aspects are thoroughly examined without wasting resources on irrelevant areas.

  1. Focus and Efficiency: A well-defined scope highlights specific services, departments, and categories of personal data that require review. This focus helps direct efforts toward critical areas, ensuring an effective and comprehensive audit process.
  2. Risk Management: Understanding which elements to audit enables businesses to better identify potential vulnerabilities in their data management procedures. This proactive approach to addressing risks can prevent compliance issues and protect against data breaches.
  3. Compliance and Accountability: Covering all relevant areas ensures that the organization complies with GDPR requirements, demonstrating accountability. This accountability not only builds trust with customers but also aligns with legal obligations, helping to avoid hefty fines.

In summary, defining the scope is about targeting relevance, mitigating risks, and ensuring legal compliance. It forms the foundation of a systematic audit that aligns with the organization’s specific data protection needs.

Related Articles
Hôtels et RGPD Garantir la confidentialité des clients
Hotels and GDPR: Ensuring guest privacy
Hotels and GDPR Key Compliance Steps
Hotels and GDPR : Key Compliance Steps
Share
GDPR advice
GDPR
outsourcing
GDPR software
Expertise
GDPR
ecosystem
DPO GDPR per city
GDPR support per city
Compliance in
your industry
Navigation
Legal Information
Newsletter

Subscribe to our newsletter to receive the latest news and updates.

Portraits de trois clients souriants
+ 400 customers have trusted us
Twitter Linkedin Youtube Facebook Instagram
logo-charte-de-deontologie-du-dpo

© Copyright 2025 | My Data Solution | All rights reserved | Legal notices
Made with ❤️ by Gonnected eClaud IT

GDPR advice
GDPR outsourcing
GDPR software
Expertise
GDPR ecosystem
DPO GDPR per city
GDPR support per city
Compliance in
your industry
Navigation
Legal Information
Newsletter

Subscribe to our newsletter to receive the latest news and updates.

Portraits de trois clients souriants
+ 400 customers have trusted us
Twitter Linkedin Youtube Facebook Instagram
logo-charte-de-deontologie-du-dpo

© Copyright 2025 | My Data Solution | All rights reserved | Legal notices
Made with ❤️ by Gonnected eClaud IT