Audit of all the organization's tools
The first phase of this audit consists of identifying all tools likely to contain personal data.
This audit involves identifying :
✅ All information systems and data flows
At this stage, it is essential to identify all the tools, software and databases used in the course of professional activity: payroll software, CRM, project management, marketing campaigns, website analysis, financial software, etc.
Data are ubiquitous and their location in the information system can sometimes be complex. It is necessary to draw up an exhaustive list of all digital tools, as well as non-digital media such as paper forms, for example.
In addition, it is essential to record all the data flows between the company's various systems, as well as with external systems. It is important to identify interfacesthe API (Application Programming Interface) allowing data to be exchanged between different tools, the file exports and e-mail flow.
This tool analysis helps determine thedata location and their traffic within the organization.
✅ The DATA TYPES contained in these tools
For each tool or software listed, it is necessary to identify the data stored in it, with particular emphasis on personal data.
Visit GDPR defines personal data in a broad sense (article 4 of the GDPR), encompassing all information relating to a specific identified or identifiable natural persondirectly or indirectly.
Some personal data is easily identifiable, such as a surname or first name. Other so-called "indirect" data, such as a telephone number, customer number or date of birth, can also be used to identify a person. All these data are protected by the RGPD.
On the other hand, the company dataconsidered to be legal entitiesare not affected by the GDPRwith the exception of information relating to the identity and contacts of private individuals with which a company interacts in a given context B2B (Business to Business).
Audit of personal data collection mechanisms
✅ You have compiled a complete list of all your tools.
✅ You have identified locations where personal data is stored.
🔜 Now you need to identify the collection sources data.
This stage involves examining and analyzing the various collection sources used in your organization. All the collection resources must be listed.
It's important to remember that the collection of personal data must be based on one of the six legal bases established by the RGPD (Article 6 of the RGPD). For each data collection method, the RGPD auditor checks the collection method and ensures that it complies with the RGPD.
In short, the collection mechanisms aims to identify :
- Each collection source personal data: online forms, paper forms, website cookies, data collected by telephone, etc.
- If the data has been collected on one of the following legal bases :
- The contract,
- Consent,
- Compliance with a legal obligation,
- The legitimate interest of the data controller,
- Carrying out a mission in the public interest or in the exercise of public authority,
- Safeguarding the vital interests of the person concerned.
Most of the time, the legal basis used for the collection of personal data is consent (Article 7 of the GDPR). It is therefore essential to ensure that you have proof of consent from data subjects for each piece of personal data collected.
Audit of personal data processing
The next step in the audit is to examine in detail why and how personal data is used within the organization.
In fact, the RGPD requires that you:
- Draw up an exhaustive list of all data processing operations, including the collection, l'registrationthe consultation, l'usethe transmission communicationthe distributionthe profilingetc.
- Describe the objectives of each treatment.
- Identify the duration during which the data is processed.
- Enter which has access to this data.
- Mention everything transfer of such data outside the European Union, where applicable.
In short, this stage involves identifying :
- The purpose data: why is it collected? What are they used for?
- The various data processing operations carried out: how are these data actually used? What operations are performed on the data?
- Pursuant to Article 30 of the RGPD, each organization is required to record in a treatment register all activities relating to personal data.
👉 If you already have a processing register, it is necessary to audit it to ensure that it contains all the required information and that no processing of personal data has been omitted.
Data security audit
This technical audit aims to identify and analyze risks on personal data stored in databases, tools, servers and networks, as well as on workstations such as computers, tablets and smartphones.
The personal data security audit includes in particular:
- The level of awareness users: this involves assessing the information and awareness of people handling data, as well as the drafting of an IT charter.
- Authentication policy of users: this includes limiting the number of accesses to an account and adopting a password management policy that complies with CNIL recommendations.
- Authorization management This includes the removal of obsolete accesses, periodic audits of authorizations and the definition of confidentiality perimeters.
- Securing workstations This involves automatic session locking, the use of antivirus software and the installation of a firewall.
- Securing mobile workstations This includes regular data backup and synchronization, the use of encryption on mobile equipment, and the use of secret codes to unlock business smartphones.
- Protecting the internal IT network This means securing remote access, and implementing the WPA2 or WPA2-PSK protocol for Wi-Fi networks.
- Securing networks This includes installation time for critical updates and access to administration tools and interfaces.
- Securing websites This concerns input control, the use of the TLS protocol, and the display of a consent banner for cookies.
- Schedule regular backups to ensure business continuity in the event of a data breach.
All aspects of data security must be inspected. It is recommended that penetration testingaudit the procedures to be followed in the event of a data leak, as well as data anonymization and/or pseudonymization methods.
This audit enables us to identify areas where safety is not assured.
The RGPD audit report
At the conclusion of theRGPD audita report is drawn up. This document lists :
- Compliant points RGPD requirements;
- Non-compliant points RGPD requirements;
- And the recommendations for corrective action.
The purpose of the RGPD audit report is to establish a exhaustive mapping of personal data and its processing within the organization.
All the information compiled in this report makes it possible to identify weaknesses of your RGPD compliance. It serves as a basis for drawing up the action plan RGPD compliance.
This action plan aims to :
- Lister security issues concerning personal data;
- Classify these risks in order of priority, according to their seriousness for the company;
- Identify corrective actions to be implemented, according to a schedule based on their urgency.
Periodically performing an RGPD audit is essential to maintaining your RGPD compliance!
