Who can audit for GDPR and what is the end result of an audit?

The EDPB does not have a legal obligation for an audit to be conducted. However, it is always advisable for organizations to prepare for an internal or third party assessment to discover compliance status and GDPR gaps. This gives organizations a direction in how to go about in implementing the necessary measures. Some authorized entities to conduct audits are:

• Supervisory authorities: In the EU, the responsibility for performing the GDPR audit rests with National Data Protection Authorities (DPAs) for each of the member states. These bodies ensure that you have complied with GDPR and they have the mandate to investigate and possibly fine you.
• Internal auditors: There are two ways in which internal GDPR audits can be run in order to determine the compliance level. Such audits assist with recognizing the lack and compliance of your organization with GDPR.
• Third-party auditors: They can hire the independent third party GDPR specialists or auditors to check their compliance. This is not obligatory but increases the effectiveness of evaluation and contributes to its complete neutrality.
• Certification bodies: Certain organizations look for certification under mechanisms such as ISO/IEC 27701 that have been approved under GDPR where certification under such mechanisms involves certification bodies that conduct audits of GDPR compliance.

After you have completed your audit, you can expect:

• Compliance report: In turn, you will be provided with the comprehensive GDPR compliance report which will contain the information on the compliance of your organization with GDPR requirements and the non-compliance and possible recommendation sections.
• Remediation plan: In the case where any instance of non-compliance is detected, then the audit will lead to a recommendation of how best to fix the problems or deficiencies.
• Possible fines and penalties: In the event that the supervisory activity has been performed by the supervisory authority and there are violations in the process, the organization is threatened with fines, legal sanctions, or corrections. In the case of GDPR violations you can be penalized up to 20 million euros or 4% of your worldwide turnover.
• Certification (Optional): If an organization is interested in getting certification, a favorable audit by a certification body means the organization can be issued with a GDPR compliance certificate.

Sprinto can get you GDPR compliant and help you demonstrate your GDPR compliance with reports. Sprinto network auditors can also help with GDPR audits for the Security controls under GDPR.