GDPR Audit: Compliance Checklist You Need to Know

Organisations that collect or process personal data in the E.U. (European Union) must be GDPR (General Data Protection Regulation) compliant. If you’re reading this, your company is likely an organisation that handles personal data, or you simply want to know more about this subject. To ensure you meet the GDPR requirements before the audit, we’ll provide you with a checklist you must follow. Without further ado, let’s get started…

Raise Awareness

One common mistake that some organisations make is that they do not involve the entire staff in the GDPR audit process.  You can visit dataguard.co.uk to learn why you need to carry out this audit. It’s usually left to the Data Protection Officer (DPO) and top management. Doing this can leave your company exposed since the process is not carried out at every level. 

Therefore, you must involve all your staff in this process. Emphasize the need for the utmost security and protection. There are a few things you can do to ensure this directive is properly carried out:

• Identify areas of GDPR non-compliance. 
• Make physical security available for devices carried into and out of the office. 
• Limit the access of employees to user’s info to reduce exit points. 

Apart from the actions you take within your company, you also need to be strict with subcontractors and third-party suppliers. Find out if they are compliant, and if they are not, partner with other firms that are if your current partners refuse to strive to achieve complete compliance. Doing business with non-compliant partners will put your company at risk. 

Keep Accurate Data Flows Record 

The data flows of your customers must be accurately recorded. There must be no form of vagueness as to how information flows into and out of the company. With accurate records, you’re ensuring you stay aligned with the accountability principle as set forth by the GDPR. 

Here are the information pieces you’re supposed to record:

• Departments in the company.
• The personal data type each department records.
• The steps involved in processing personal data by each department.
• The individual or group of individuals that handle data processing in each department.

The information above should be compiled into a logical document. This document must be updated regularly to meet your organisation’s current personal information management practices. In case you share the wrong information with your partners or other organisations, ensure you make the corrections as quickly as possible. 

Communicate Privacy Information

When you collect data from individuals, you’re mandated by the GDPR to provide the users with further information. In other words, you must communicate the privacy policy in very simple language. Here are some of the details of the privacy policy you’re expected to communicate:

• The process involved in collecting personal data.
• The (lawful) reason for collecting the data.
• What will the data be used for?
• The duration of holding the data.
• The user rights, such as their right to file complaints when the way your company handles private details is not satisfactory.

You’re also required to provide a detailed but easy-to-understand cookie policy. The purpose of doing this is to inform your users about the website’s active cookies and their use. It’s recommended to employ automated cookie tools for general declarations and audits. These tools will ensure that the cookie policy remains up-to-date. 

Review Individuals’ Rights

You need to review your protection procedures and/or privacy policies so that they meet the GDPR individuals’ rights requirements. That means you need to reveal how the personal information will be deleted when you are done with it. Also, you need to provide details on your ability to make the data available electronically while using a common format without any fee. 

Below are some of the enhanced rights individuals have thanks to the GDPR:

• Access to their information.
• Opportunity to have their mistakes corrected.
• Portability of data.
• Deletion of personal data when requested.
• Prevention of direction marketing.
• Prevention of profiling and automated decision-making.

Update Subject Access Requests Procedures

Subject Access Requests (SARs) procedures must be reviewed and updated. This will ensure that the requests are handled promptly. Here are some guidelines that will help you effectively handle SARs:

Most situations will prevent you from charging a request compliance fee.

Instead of the previous 40-day timescale, SARs must be handled within a month.

If the request is baseless or excessive, you have the right to refuse it.

When a request is refused, you must provide the individual with a detailed explanation of why you refused it. Furthermore, you have to inform them of their right to issue a complaint to the supervisory authority if they intend to take legal action. All these must be carried out within a month. 

You need to determine if your organisation can deal with a large SAR amount within a particular timeframe. This is crucial if your business is a large one. Can you make additional information available when requested? Here are some things you can do:

• Create response letters (ensure they are GDPR compliant) to properly address SARs.
• Update your Subject Access Requests procedures and policies to include new timescales, removal of request compliance fees, and enhanced individual rights.
• Set up technical procedures for quick processing of personal data in the format required.
• Develop new policies for quick correction of data inaccuracies as well as a procedure to halt processing when necessary.

Identify, Document, and Explain the Lawful Basis for Processing Personal Data 

Review the actions of your organisation’s personal information processing and find out the legal basis supporting it. Record it and ensure the organisation’s privacy notice is updated to clearly show this change. Furthermore, you must explain the legal basis supporting it when you respond to SARs. 

Update Consent Policy

It’s required that your cookie consent banner be updated with simple, specific, and concise text. You can check here to learn more about the cookie consent banner. Include a button that allows people to opt out if they don’t want to consent. 

The best way to create this banner is to use automated cookie software. With such software, you can easily create customized banners. Apart from the cookie consent banner, you need to review all the methods used to get consent. Ensure that all of them are compliant. 

Protect the Data of Children

The GDPR has special protection for children that fall under the category of vulnerable subjects which you must follow as a business. If your company has to deal with children, you need to set up a system that will verify their age. In such cases, the system must be designed to get the parents or guardians’ consent. In the U.K., any child less than 13 years old must get consent from parents and guardians.

Conclusion

The General Data Protection Regulation is a very stringent piece of security and privacy legislation. Organisations that are not compliant when discovered are dealt with severely, with penalties reaching millions of euros. This is why carrying out a GDPR audit is very important.

However, if you don’t know the guidelines contained in the legislation, your company might not meet the compliance standard even if you carry out the audit. After all, it’s not easy to remember everything contained in the 99-article, 88-page legislation. Luckily for you, we’ve simplified all of that into this easy-to-understand article.