Key points to successfully conduct your GDPR audit

The GDPR audit is a key step in achieving compliance for businesses and all private or public organizations. The CNIL has indeed indicated that mapping the entire range of processing activities constitutes one of the essential steps of a successful action plan, alongside the designation of a GDPR pilot or the management of GDPR risks.

We propose here some advice and best practices regarding GDPR audits to make this mandatory step an effective tool for compliance and a new stage in the valuation and use of personal data.

Why conduct a GDPR audit?

Conducting an GDPR audit of all personal data processing activities may appear as a burdensome step, but such an exercise actually constitutes the preliminary step to any compliance. Indeed, this GDPR audit will allow for a review of the level of compliance regarding data protection. It is not an end in itself, but the beginning of the GDPR implementation process with the objective of having a global and exhaustive overview of the various data processing activities.

A 360-degree vision

The GDPR audit must not only list the entire collection of personal data processed and the processing operations. Rather, it is a matter:

• to assess the relevance of the processed data from its collection to its retention.
• to track the various data processing operations and their history;
• to question providers and subcontractors on their data protection policies;
• to attest to the tools implemented to allow the exercise of the rights of the persons concerned (right of access, right to be forgotten or to portability) and to ensure transparency.
• to verify the level of personal data security and the measures implemented (encryption, firewall, antivirus etc.).

A specific GDPR audit?

This analysis allows for an objective and comprehensive view, enabling the subsequent implementation of concrete and appropriate measures tailored to the needs of each entity. This task of analyzing processes and documentation may seem laborious, but it should be considered with interest as it constitutes the first step in your compliance process.

This exercise also involves complex and technical legal concepts, and it is necessary to fully understand the contours and implications of the concepts mobilized. A misunderstanding of these various elements (for example, measures that must or must not be implemented) will necessarily lead to a flawed audit and the resulting compliance plan.

Why designate a compliance officer?

The designation of a Data Protection Officer (DPO) is crucial for ensuring compliance. It is the person responsible for GDPR compliance, the compliance lead who will be responsible for conducting the audit. Their role is central to ensuring access to all necessary information, including contractual documentation, the Information Technology and Liberty history, or projects involving new data processing activities.

The pilot must also mobilize all employees and relevant personnel, as well as technical and IT teams, to verify that no aspect has been overlooked. This is not only about conducting a comprehensive audit but also about laying the foundations for GDPR documentation.

To learn more about the key role of the DPO, discover how the externalized DPO functions.

GDPR Audit: What Approach?

The development of an GDPR tool must utilize interactive and dynamic tools, as well as rigorous standards and methods. Indeed, this type of audit differs from other types of audits (product audit, process audit, and system audit), but the objective remains the same: a comprehensive verification of processes in relation to identified requirements, a study of the entire process and the role of each actor.

In addition, please refer to our comprehensive file on GDPR controls and sanctions by the CNIL to better understand the regulator’s requirements.

The quality of this audit must be considered in advance. The CNIL¹, along with other supervisory authorities (notably the UK ICO²), have thus had the opportunity to specify their requirements and to implement their frameworks and labels. They have also proposed best practices which constitute tools available to best support the audited structures.

The audits must therefore incorporate strong requirements regarding the knowledge used, the identification of the audited entities, the identification of the processing operations and their legality or the study of security.

They must also take into account other procedures initiated or existing within the companies or concerned structures (as part of the quality approach, CSR or ISO/IEC 27001 or ISO/IEC 27552 standards, or the AFNOR ISO/IEC 29151 generic privacy protection best practices, for example).

Selecting a law firm to conduct an GDPR audit offers the dual advantage of benefiting from strong expertise in data protection law and of receiving legal counsel throughout this process.

Conducting an audit can finally be an opportunity to involve different partners and gather diversified skills, provided that the roles and responsibilities of each of the actors involved (law firms, consulting firms, IT service providers and IT security experts) are defined.

Method: How to start an GDPR audit?

A GDPR audit must be exhaustive and effective. To this end, it is important to be able to quickly have an overall framework for review. For this reason, it is important to prioritize the following:

• a training and information session aimed at mobilizing around this project;
• the implementation of a questionnaire which will allow to systematize all the questions to be asked and to establish a framework for the audit.
• the collection of information on the audited structure and its development issues;
• monitoring of legal developments in the audited area of activity and specific issues;
• the compilation of measures taken prior to the GDPR coming into effect (declarations or authorizations to the CNIL, appointment of a DPO etc…).
• Utilizing effective GDPR compliance tools ensures an efficient and comprehensive audit.

Mapping

The audit aims to result in a synthetic mapping of all personal data processing activities, from their collection to their deletion or destruction. This mapping work should also not forget data stored in paper format (archives, listings, etc.), quite the contrary.

This exercise of mapping requires following the following procedure:

• Identify personal data (such as IP addresses, MAC addresses, or lifestyle-related data).
• Classify personal data by categories and identify sensitive data (personal identification data, health data, banking data, etc.).
• Assess the relevance of the collected data, with a view to minimization and proportionality.
• Identify the different treatments carried out on personal data. For example, the concept of data processing encompasses any operation, or set of operations, relating to such data, regardless of the method used (collection, recording, organization, storage, adaptation, modification, extraction, consultation, use, communication by transmission or dissemination, or any other form of making available, linking or interconnection, locking, deletion or destruction, …).

It is also necessary to take into account the following:

• Identify the different actors and their responsibilities (data controller, sub-processor, subsequent sub-processor etc…), a fundamental condition for defining a clear framework and revising contractual documentation.
• Note the procedures implemented or not implemented to ensure the rights of individuals and the respect of rules concerning consent.
• To trace any international transfers of data (notably within the context of the use of subcontractors and service providers outside the EU or the use of cloud services) in order to provide them with the necessary safeguards.
• Review of data security measures allowing to ensure an appropriate security level to the risk.

GDPR Audit: And after?

Once having answered all of these questions and drawn up a comprehensive overview of the data processing operations, an audit report will be drafted which will take into account all of the elements collected.

This audit report will result in an adapted GDPR action plan tailored to your structure and which will list the various missions by priority. Finally, the implementation of solutions adapted to your needs will be proposed as part of your compliance efforts.

This audit may finally constitute a basis for the documentation to be established as part of accountability.

The GDPR audit will also allow for questioning all processing activities carried out based on the principles of the GDPR and the Informatics and Freedoms legislation (proportionality, minimization, etc.).

With this in mind, the implementation of an audit should also enable a reflection on data governance and usage. Furthermore, the deployment of privacy-by-design tools often presupposes a comprehensive technical and legal approach that must be considered upstream, in order to develop applications and solutions that are more respectful of privacy. In the case of the most complex environments

Other unavoidable aspects of GDPR compliance: effective data governance and the importance of DPIA (Data Protection Impact Assessment).

Effective data governance is a concept directly derived from Article 5 of the GDPR, which means that the implementation of policies, technical and organizational measures internally is not sufficient on its own. Indeed, these measures imply a certain effectiveness over time: from the collection of data to their deletion, passing through their security and their exploitation compliant with the GDPR. In other words, effective governance is not frozen in time. It requires constant adjustments, regular reviews and rigorous controls/audits to adapt to new challenges and ensure sustainable protection of personal data.

Such governance is based on several fundamental elements:

• The internal organization and the DPO’s role: its designation and the resources allocated to it are essential for steering compliance, particularly by being involved from the outset in the design of processing operations. Regarding the DPO, the CNIL refers to him as an “essential link in data governance,”³ stating that “GDPR places […] him as a key player in the governance of personal data systems.”⁴
• The monitoring of contractual obligations: in the relationship between the data controller and subprocessor, regular and satisfactory controls are essential, as specified by the CNIL in its decision SAN-2022-018 concerning Infogreffe⁵.
• The management of compliance incidents and requests: a structured governance must provide procedures for managing personal data breaches and requests to exercise the rights of the affected individuals.
• Effective governance also involves integrating DPIA into internal processes to ensure compliance and prevent risks.

The absence of a structured governance framework with such parameters may result in serious breaches of the GDPR and significant penalties, as demonstrated by the case of the company Discord.

The example of Discord: a sanction particularly related to a governance deficit.

In November 2022, the CNIL sanctioned Discord Inc.⁶ with a fine of €800,000 for several infringements of the GDPR, including the failure to conduct a DPIA (Article 35 GDPR⁷). Discord, which operates a widely used communication platform by a young audience, collected and processed a large volume of personal data. However, the company had not carried out a thorough risk assessment related to these treatments by conducting a DPIA.

Here, the failure is directly linked to a lack of data governance: an organization with robust governance would have implemented clear internal processes to identify high-risk processing activities and trigger an DPIA when necessary. The absence of such a process demonstrates a deficiency in the management of personal data within the organization.

Effective data governance does not stop with the DPIA. It also relies on equally essential tools such as the processing activities register, required by Article 30 of the GDPR. Since June 2024, the CNIL has issued 11 sanctions – within its simplified procedure – against several organizations, including some for the absence of such a register, including against two companies with fewer than 250 employees. This register, which among other things lists the collected data, its purposes, and access, is – according to the CNIL – “a tool for piloting and demonstrating compliance.”⁸

Aumans Avocats: specialists in IT/Data, data protection and DPO outsourcing

As a law firm specializing in IT/Data and data protection, we are at your disposal to assist you with all your projects. Whether you are a startup, a SME or a group of companies, our expertise will allow you to navigate smoothly in the complex landscape of regulation and compliance. Do not hesitate to contact us to benefit from personalized advice and secure your digital future.

Sources

1. https://www.cnil.fr/fr/les-labels-cnil ↩︎
2. https://ico.org.uk/media/for-organisations/documents/1533/auditing_data_protection.pdf ↩︎
3. https://www.cnil.fr/sites/cnil/files/atoms/files/guide_pratique_rgpd_-_delegues_a_la_protection_des_donnees.pdf – p2 ↩︎
4. https://www.cnil.fr/sites/cnil/files/atoms/files/guide_pratique_rgpd_-_delegues_a_la_protection_des_donnees.pdf – p4 ↩︎
5. https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000046280956 – pt46 ↩︎
6. https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000046562676 ↩︎
7. https://eur-lex.europa.eu/eli/reg/2016/679/oj?locale=fr ↩︎
8. https://www.cnil.fr/fr/onze-nouvelles-sanctions-procedure-simplifiee ↩︎