The General Data Protection Regulation (GDPR) is one of the most stringent data protection laws in the world. Though this law aims to protect the privacy and security of the European Union (EU) citizens, its impact isn’t limited by geography. If you are contemplating becoming GDPR compliant, we’ve curated a GDPR audit checklist for you to follow. But did you know that GDPR as a framework does not require you to undergo an audit? But, if you are non-compliant, the repercussions could lead to millions of dollars in administrative fines.
We’ve included a comprehensive GDPR internal audit checklist you can follow at the end of the article. This will help you ensure your organization meets the requirements.
The GDPR audit checklist was long and exhaustive, wasn’t it? We’ll let you in on a little secret.
Eat the Elephant bit by bit.
To be compliant with every section of GDPR, ensure that you are covered in the ten areas mentioned below.
GDPR Audit Requirements
Data Protection Officer (DPO)
Roles and Responsibilities
Scope of Compliance
Personal Information Management System (PIMS)
ISMS (Information Security Management System)
Rights of Data Subjects
Area 1: Governance
You must ensure that the security standards and organizational policies defined by you are coherent throughout the life cycle of the data process. To ensure continuous data governance, abide by these six principles:
- Lawful, Fair, and Transparent
- Purpose Limitation
- Data Minimization
- Accurate Data Collection and Storage
- Storage Limitation
- Integrity and Confidentiality
When an auditor combs through your policies and security standards, they will look for evidence that corroborates your claim of maintaining data integrity, security, and confidentiality.
If you are a Data Controller, always have a presentable and accurate data map and periodic GDPR audit reports.
Area 2: Risk management
As an organization processing personal data, you must continually assess the risk level your organization is susceptible to and deploy security measures to counter said risk level to ensure data security.
Periodically run Data Protection Impact Assessments (DPIA). Based on the impact on the data, determine the resultant effect on the risk.
Area 3: GDPR Project
Becoming/remaining GDPR compliant is an organization-wide activity. Unless every team member, starting from the top of the hierarchy, is involved, the chances are that you will run into difficulties keeping this up.
Run GDPR audits to determine whether your organization is adequately staffed to take on a challenge like this and whether every stakeholder in the organization is supportive of this activity.
Area 4: DPO
A Data Protection Officer (DPO) is the point of contact between your organization and supervisory authorities during an audit.
Here are the three conditions which determine whether appointing a dedicated DPO is mandatory within an organization.
- You process large amounts of sensitive personal data/ data with information on criminal history
- A public authority executes your data processing
- You are required to constantly monitor your data subjects in large volumes.
If your organization qualifies to require a dedicated DPO, ensure that the person filling the position has the potential to deliver as per GDPR’s compliance requirements.
Area 5: Roles and Responsibilities
Before beginning your GDPR compliance journey, establish and assign roles for responsibilities. A few duties could be towards data processing, a few towards technical security, and a few towards internal training.
This helps you continuously monitor your internal systems and their role in an effective compliance posture. This also contributes to effective training, onboarding, and offboarding.
Area 6: Scope of Compliance
Define the scope of your compliance. As an organization processing user data, it is imperative to define your data processing activities’ type, intent, and duration. In addition, it is a healthy practice to map your data, note internal and external movements and have processes in place to ensure data integrity for data transfer to third countries, if any.
Area 7: Process Analysis
Article 30 of GDPR requires organizations to maintain transparent and accurate records of their data processing activities. As an organization processing user data, your technical and organizational controls should be around protecting user data. An GDPR audit should provide evidence of how well you comply with each of the principles defined by GDPR and its requirements.
Area 8: PIMS
Processing user data requires you to undertake a ton of documentation in the form of SCCs, DPIAs, and RoPA, among others.
The larger the organization’s size, the larger the volume of documentation involved.
Bringing in PIMS allows you to streamline your documentation processes and be ready to provide evidence when a supervisory authority from the GDPR council demands it.
The requirements defined in ISO 27701 for PIMS were implemented in the GDPR framework. Hence the similarity.
Area 9: ISMS
To become/remain GDPR compliant, any organization must demonstrate the measures they’ve implemented for securing user data in electronic forms. This includes safe coding practices, periodic penetrant tests to look for vulnerabilities in the security posture, and certifications, among others.
GDPR hasn’t detailed a thorough list of their ISMS requirements. However, imbibing the ISMS requirements listed in ISO 27001 checklist is the best way to get started.
Rights of Data Subjects
Every data subject protected by the GDPR law is entitled to rights. As an organization processing user data, you must implement processes that enable you to process any activity when a user exercises their rights.
Rights of data subjects under GDPR are:
- The Right to be Informed
- The Right to Rectification
- The Right to Erasure
- The Right to Restrict Processing
- The Right to Object
- Rights concerning Automated Decision-making and Profiling
Disclosure Audit Checklist
Your organization has to clarify the information they intend to source user data and the purpose for sourcing it. In addition, all the information should be available in an easy-to-access location without confusion.
Here’s a list of things you’d need in your disclosure checklist:
Include details about your approach toward security and privacy. Talk about the personal and non-personal data you intend to collect and the intent to use.
- Data Retention Policy
Your Data Retention Policy should talk about the duration you intend to use user data. Ensure that you do not exceed the retention period. In instances where you keep it for a longer duration, ensure that the data is pseudonymized or anonymized.
- Data Transfers to third countries
If you are transferring data to processors in third countries, talk about the preset conditions you have to qualify for such transfers.
- Data Protection Policy
Talk about all the security measures you have to ensure data security per GDPR requirements.
- Contact Information
In this, provide your organization’s legal address, contact information, or ways to reach your Data Processing Officer. If you don’t have a DPO, the contact details of the person filling that role should be provided.
If your organization does not collect user data of children, ensure to present this disclaimer in a format that is bold and easily visible.
‘This website is available only to individuals at least 16 years old.’
Else, include a checkbox which takes parental permission.
- Cookies and Payments
Talk about all the GDPR cookie consent you use and how payments are processed across the organization.
For example, POS, e-commerce, etc.
Registration Page Checklist
When designing your registration page, ensure that it is clean and straightforward. Here are a few other things you should look out for:
Give a granular scope of the data you are collecting and allow users to select which marketing collaterals they wish to receive from you. Make it easy for users to opt in. This means instead of giving a single check box for taking consent, include multiple checkboxes, each dedicated to a specific function.
Include a section where users can explicitly consent to your organization’s terms and conditions.
Download your GDPR Audit Checklist
Here’s a consolidated GDPR audit checklist of all the documents your organization would need:
- Data Retention Policy
- Inventory of Processing Activities
- Incident Response Policy
- Data Breach Notification policy (used when notifying the GDPR authorities about an incident)
- Data Breach Notification to Users
Data Protection Checklists
GDPR does not explicitly list a set of security measures for you to follow. However, you are expected to present a security posture that honors the principle of protection by design and protection by default.
Why Chose Sprinto for Your GDPR Audit?
When your organization starts its GDPR compliance journey or adds patchwork to the existing structure, the GDPR Audit Checklist could be a significant first step. However, implementing all the principles, articles, and technical requirements could become expensive and inefficient if done incorrectly.
Sprinto automates the compliance process and continuously monitors your compliance posture to ensure you’ve not left any critical activity unattended. Our inclusive design also ensures that you have a single channel view of the whole compliance program. Our built-in training modules also enable you to impart training programs on a team-to-team basis if required. Talk to us today to understand your organization’s GDPR compliance scope.