- Assess the legal, organisational and technical aspects of your organisation with easy-to-use interactive forms
- Legal: link measures taken to legal bases, manage subcontractor contract compliance, and more
- Organisational: identify the procedures to be implemented regarding security incidents, personal data breach management and data subject requests (DSAR)
- Technical: assess the technical security measures taken to deal with data processing risks such as data transfers
- For guidance in the management basics, use our templates to assess your organisation’s compliance level, whether you have a DPO or not
Describing an organisation’s compliance level and identifying existing gaps and non-compliances is one of the first steps in working toward GDPR compliance. It requires a true audit in which the legal, organisational and technical aspects of the data processing performed by an organisation are carefully analysed.
The GDPR audit can be conducted simultaneously with data mapping, or immediately afterward. The audit helps you determine the maturity level of your organisation in terms of personal data protection. It allows you to lay the foundations of your GDPR management by helping you to establish a precise roadmap, identify the key compliance players — data controller, DPO, subcontractor, service providers, control authority, etc. – assign them tasks, and most importantly establish a GDPR compliance schedule.
A GDPR audit is a fundamental step for protecting the personal data circulating in your organisation.
A GDPR audit has three aspects:
Legal: verify the legal basis (consent, contract, etc.) on which the personal data processing activity is based, the purposes for which it is carried out, and the level of contract compliance
Organisational: review the internal procedures deployed to deal with security incidents, data breaches and data subject requests (personal rights)
Technical: review the technical security measures implemented by the organisation to effectively respond to data processing risks — especially when sensitive data is involved (leaks, hacking, etc.) — and to ensure effective protection of personal data