How to Audit for GDPR Compliance?

Auditing for GDPR Compliance

Conducting regular General Data Protection Regulation (GDPR) compliance audits is a necessity for any business subject to this wide-reaching data protection legislation. Helping not only to avoid the substantial penalties associated with non-compliance, but to also better understand how it is your organisation works with personal data.

Allowing you to discover risks and flaws in your operation, regular GDPR compliance audits demonstrate to regulators the reasonable steps you have taken in maintaining compliance and your efforts to improve overall security.

Start trial icon

Ready to start your journey to becoming compliant?

We can help you - let's have a chat.

Book a Meeting

While regular GDPR compliance audits are crucial, many organisations still require some guidance regarding how to effectively examine their operation and evaluate if the required standards are truly being met. As such, below are six questions to ask when starting the process of auditing your organisation for GDPR compliance.

1) What are the Rights of Your Data Subjects?

To start this process, it is a good idea to first consider the fundamentals that underpin the GDPR. Accordingly, you must be informed about the rights of data subjects. As well as rights related to automated decision making, including profiling (further information about this can be found here), the following are the rights afforded to individuals under the GDPR:

  • To be informed

  • To object

  • To data portability

  • To rectification

  • To erasure

  • To restrict processing

  • To access

2) What Types of Personal Data Do You Collect?

In addition to the individual rights, an essential step is clarifying the data you collect and how different types are defined according to the GDPR. GDPR classifies personal data into two categories.

The first category of personal data is the basic information that can help in individual identification and includes:

  • Subject names

  • IP addresses

  • Identification numbers

  • Physical addresses

  • Phone numbers

  • Location data

  • Email addresses

The second is defined as 'special categories of personal data'. More sensitive in nature, and therefore requiring of a higher level of protection, this 'special category' includes personal data relating to an individual's:

  • Race

  • Ethnic origin

  • Political opinions

  • Religious or philosophical beliefs

  • Trade union membership

  • Genetic or biometric data (where this is used for identification purposes)

  • Health data

  • Sex life; or

  • Sexual orientation

3) How Do You Collect this Data?

Write down your sources for the subject data you collect, ideally documenting whether you collected the data from third parties or directly from the data subjects.

You should be able to differentiate the methods used to gather this data and be able to show proof that the consent of the data subject was obtained for the collecting and processing of their data. Additionally, be sure to document that the data subjects were aware of your data policy at the time of collection.

4) Why Do You Hold This Data?

When considering the personal data being held, as well as the processing of this data, organisations must have a valid lawful basis for doing so. The lawful basis must be determined before any personal data is processed.

There as six lawful bases that can be used: legitimate interests, consent, contract, legal obligation, vital interests, or public task. Accordingly, organisations are required to document the purposes for collecting personal data.

For instance, you may indicate that you collect and store the information for service maintenance purposes, product development or improvement, and system maintenance, among others. You should also be able to show proof of the exact purpose for gathering this data and the lawful basis for using it.

5) How Long Do You Retain Data?

Generally known as 'storage limitation', the GDPR clearly states that without a valid basis, personal data held by organisations cannot be held indefinitely, and must only be kept for as long as the stated purpose requires.

Depending on your purpose, how long you retain data will vary, though you are required to produce a policy setting standard retention periods wherever possible in order to comply with documentation standards.

It is also worth noting that the UK's data protection regulator, the Information Commissioner's Office (ICO) recommends that periodical reviews into the data you hold should be conducted, as well as the erasure of data that is no longer needed.

6) What are Your Data Protection Policies?

By documenting and communicating what people need to do and why, policies and procedures provide clarity and consistency to your data protection efforts.

Where proportionate, the GDPR specifically requires these policies to be in place, and though their required level of detail varies, the policies are an essential step in complying with legal obligations.

Put clearly, the data protection watchdog (ICO) asserts that you are required to have policies and procedures which "ensure data protection issues are considered when systems, services, products and business practices involving personal data are designed and implemented, and that personal data is protected by default."

Additionally, one of the most important aspects of your data protection policy should be staff awareness, with the data authority stating that staff are required to have read and understood these policies, as well as updating staff as to any changes made to these documents.

Start trial icon

Try our GDPR Training for Free!

Start Now

GDPR Compliance

With potential fines for GDPR non-compliance currently set at £17.5 million or 4% of annual global turnover, whichever is greater, as well as the potential reputational costs, it has never been as important for organisation to ensure they are meeting data protection standards.

Both legally and ethically, the protection of personal data is the responsibility of any organisation dealing with this form of information. By asking these questions and completing regular audits, your organisation helps to ensure that individuals, clients, and staff can trust you to use their information fairly and responsibly.

Security Awareness for your Organisation

Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.


Ideas to Improve Employee Cyber Security?

Improving Employee Cyber Security

With human error responsible for many breaches and attacks, we offer some helpful areas for improving employee security compliance.

A Few Cyber Tips for your Organisation

5 Cyber Tips for your Business

Essential cyber tips for helping your business or SME improve information and cyber security.

Maintaining Compliance for Businesses

The Benefits Of Maintaining Compliance For Your Business

By maintaining compliance for your business you can ensure operational efficiency, reduce financial risk, enhance public trust, engage your employees and realise your mission.

5 of the Top Phishing Trends in 2022

Top 5 Phishing Trends in 2022

Insights, trends, and statistics from the world of phishing in 2022.

What are the 10 Steps to Cyber Security?

10 Steps to Cyber Security

The main concepts of the Nation Cyber Security Centre's '10 Steps to Cyber Security' guidance.

The Psychology of Behaviour Change: Optimisation

Cyber Awareness Part II: The Psychology of Behaviour Change

Part two in our blog series examining how the psychology of behaviour change will help us deliver effective awareness campaigns.

The Anti-Phishing Insights  Every CISO Should Know

5 Anti-Phishing Insights Every CISO Should Know

Based the latest scientific research, tips to reduce human error and protect businesses against phishing attacks.

The Psychology of Behaviour Change: Science, Behaviour & Social Influence

Cyber Awareness Part I: The Psychology of Behaviour Change

Cyber awareness helps reduce human error and insecure behaviours. Examining how the psychology of behaviour change will help us deliver effective awareness campaigns.

The importance of an email security policy

Why Organisations Need an Email Security Policy

An email security policy is a document describing how an organisation's email system should, and most importantly, should not be used.

Preventing Human Error in Information Security

Human Error in Information Security

When Human Error is found in information security, it is often avoidable errors that allow much larger consequential problems to arise.

Speak to us about your Cyber Awareness