The General Data Protection Regulation (GDPR) has been in force since May 2018 and remains the most far-reaching data protection framework in the world, applying to any organisation that processes personal data of EU or UK residents regardless of where the organisation is based. A GDPR compliance audit is an independent assessment of how effectively an organisation meets its obligations under the regulation. Whether conducted internally, by a specialist assessor, or as part of a broader governance review, the audit provides a structured picture of your data protection posture — and where gaps exist.
GDPR Key Requirements at a Glance
GDPR imposes obligations across the entire lifecycle of personal data. The foundational requirements auditors assess include:
- Lawful basis for processing: Every processing activity must rest on one of six legal bases — consent, contract, legal obligation, vital interests, public task, or legitimate interests.
- Data subject rights: Organisations must have processes to respond to access requests, erasure requests, portability requests, and objections within statutory timeframes (typically one month).
- Privacy notices: Transparent, plain-language notices must explain what data is collected, why, how long it is kept, and with whom it is shared.
- Records of Processing Activities (RoPA): Article 30 requires most organisations to maintain a documented inventory of processing activities.
- Data Protection by Design and Default: Privacy considerations must be built into new systems and processes from the outset.
- Data breach procedures: Breaches must be assessed promptly; notifiable breaches must be reported to the supervisory authority within 72 hours.
What Auditors Examine
A GDPR compliance audit is not a tick-box exercise. Experienced auditors look for evidence that controls are operational — not just documented. Key areas of scrutiny include:
Data Protection Impact Assessments (DPIAs): Article 35 requires DPIAs for high-risk processing activities. Auditors check whether the organisation has a DPIA methodology, correctly identifies when one is required, and completes them before processing begins.
International data transfers: Following the Schrems II ruling and subsequent developments, auditors examine whether appropriate transfer mechanisms are in place — EU Standard Contractual Clauses (SCCs), adequacy decisions, or Binding Corporate Rules — and whether Transfer Impact Assessments have been conducted for high-risk destinations.
Processor management: Article 28 requires written data processing agreements with all processors. Auditors will sample your supplier agreements to verify compliance.
Consent management: Where consent is the legal basis, it must be freely given, specific, informed, and unambiguous. Auditors assess consent mechanisms, records of consent, and withdrawal processes.
Who Needs a GDPR Audit and What Are the Penalties?
Any organisation that processes personal data of EU or UK residents benefits from regular GDPR audits. A compliance audit is particularly important for:
- Organisations undergoing due diligence for mergers, acquisitions, or investor reviews
- Businesses facing a data breach or regulatory enquiry
- Companies entering new markets or launching new data processing activities
- Organisations that have not reviewed their data protection practices since implementation in 2018
GDPR penalties can reach €20 million or 4% of global annual turnover (whichever is higher) for the most serious infringements. Lower-tier fines of up to €10 million or 2% apply to procedural breaches. Beyond fines, supervisory authorities can issue reprimands, corrective orders, and temporary or permanent bans on processing. A proactive audit is substantially cheaper than a reactive enforcement action.