Conducting a GDPR Compliance Audit


Our GDPR compliance audit guidelines will assist you to set up efficient GDPR procedures and controls or function a benchmark to your present processes.

We all know it is a lengthy listing – nevertheless it must be! Don’t be concerned if you have to seek advice from it later; you possibly can simply obtain our PDF questionnaire.

GDPR procedures & controls to audit

  1. Governance
  2. Duties
  3. Lawful processing
  4. Knowledge safety
  5. Knowledge minimisation
  6. Knowledge topic rights
  7. Knowledge breaches
  8. Contracts & suppliers
  9. Human sources
  10. Abroad transfers

Free GDPR Self-assessment Questionnaire

A. Governance

The next questions relate to how well-prepared your governance and programs and controls are relating to GDPR. This questionnaire might go into extra element on a few of these matters as you undergo it.

  1. Do you perceive what private and particular classes of private knowledge imply to your agency?
  2. Do you may have board assist or endorsement for all issues pertaining to knowledge safety and compliance with the GDPR?
  3. Do you may have a brand new or revised knowledge safety coverage?
  4. Has a Knowledge Safety Officer been appointed of enough data and expertise and with autonomy to implement GDPR as required inside your agency, and with direct entry to the board (or equal)?
  5. Has a Knowledge Safety Impression Evaluation been accomplished and is a plan to deal with any deficiencies drawn up?
  6. Is your agency registered with the native knowledge safety supervisory authority, and does your declared knowledge use famous with them should be up to date or amended?
  7. Have you ever reviewed your utilization and contracts with third-party suppliers and distributors to whom buyer knowledge could also be handed or who might have entry to your programs that comprise buyer knowledge?
  8. Do you may have an acceptable knowledge breach reporting process? Do your workers know report a breach and whom to report it to?
  9. Do you may have an information breach response protocol in place? Establishing a pre-planned strategy to the preliminary and ongoing administration of an information breach
  10. Are knowledge breaches reportable through your Whistle Blowing course of?

Free GDPR Personal Data Awareness Poster

B. Duties

The next questions relate to your total understanding of GDPR obligations.

  1. Are you conscious of all of your obligations below GDPR?
  2. Do you imagine that any staff reporting to you might be conscious of their obligations below GDPR?
  3. Do you imagine that your friends in different key decision-making positions are conscious of their obligations below GDPR?
  4. Do you perceive what private and particular classes of private knowledge imply to your agency?
  5. Are you able to exhibit that you’ve clear and specific consent out of your prospects to carry and course of the information you maintain now?
  6. Have you ever despatched new truthful processing notices to your prospects, advising them of their new rights below GDPR, equivalent to objecting or proscribing processing, the proper to be erased and the portability of their knowledge?
  7. Have you ever established clear hyperlinks together with your advertising and marketing/product improvement areas to make sure privateness by design?
  8. Are you reviewing your web site privateness phrases and consents?
  9. Have you ever mapped a buyer journey to determine all knowledge touchpoints, enabling you to train a buyer’s proper to be forgotten with ease and confidence?
  10. Have you ever a mechanism in place enabling breach identification and reporting inside 72 hours of prevalence?

DPO Role & Responsibilities

C. Lawful processing

The next questions relate to the lawful foundation of processing private knowledge by your workforce.

  1. Do you perceive the place your buyer knowledge is?
  2. Have you learnt the place your buyer knowledge comes from?
  3. The place does buyer knowledge go round your organization, and the way does it journey?
  4. Have you learnt of all forms of private knowledge being processed by your workforce and the aim(s) of processing?
  5. Have you ever thought of if this processing is critical for the related goal?
  6. Have you learnt of the lawful foundation on which this knowledge is collected and processed?
  7. Have you learnt whether or not the aim(s) of processing and the lawful foundation is documented in your privateness discover?
  8. In case the lawful foundation for processing is Consent, are you positive {that a} report is being saved of when and the way we obtained consent from the person, and what they have been informed about how and why we’d course of their knowledge on the time?
  9. Is buyer consent obtained through a transparent and standalone assertion or doc, somewhat than being a part of a wider and unrelated set of phrases and situations or declarations?
  10. Have you ever obtained a course of for notifying a buyer that we have to change or add to the explanations that we at the moment course of their knowledge, explaining why and acquiring their consent for this alteration?
  11. Have you learnt when and whom to ask for an information safety influence evaluation (DPIA)?
  12. How do you handle knowledge classification and communications? How is particular class knowledge handled in comparison with private knowledge? Are there any further controls or entry restrictions that you simply apply?
  13. Have you ever issued truthful processing notices to your prospects?
  14. Do you determine youngster account enterprise individually from all different accounts?
  15. How are you demonstrating that the place acceptable (aged 13 within the UK) that you’ve youngster consent for processing their knowledge and that this consent is suitably knowledgeable?

Six Legal Bases for Processing Data

D. Knowledge safety

The next questions relate to the safety (confidentiality, integrity and availability) of the non-public knowledge is processed by your workforce

  1. Would you be capable to proof that your workforce has taken measures to guard this private knowledge from exterior threats?
  2. Would you be capable to proof that your workforce has taken measures to guard this private knowledge from inner threats?
  3. Do you clearly talk to your workers that knowledge theft or misuse of buyer knowledge in any manner is strictly prohibited and the results of such exercise might be immediate dismissal and even legal prosecution?
  4. Do you may have clear inner insurance policies and coaching in relation to areas of laptop misuse, digital communications, safeguarding private knowledge on social media and knowledge safety?
  5. Do you may have a report of who (departmental or particular person) has entry to buyer knowledge in your division and their want for this?
  6. How do you handle inner workers motion, cloned laptop entry and entry revision and management? How is temp or contract staff’ laptop entry managed?
  7. Does your inner coaching clearly exhibit the intense influence of unauthorised knowledge entry or loss, by linking knowledge theft, identification fraud, account take over and cash laundering?
  8. Do you may have a transparent and easy-to-use breach reporting mechanism?
  9. Can one in all your workforce report any considerations regarding knowledge safety, confidentially through your Whistle Blowing procedures?
  10. Do you may have satisfactory firewalls and virus safety put in?
  11. Do you may have clear password insurance policies inside your agency, i.e. required size, complexity and expiration instances?
  12. Are controls equivalent to a transparent desk coverage and locked confidential waste bins employed?
  13. The place are your servers positioned?
  14. What encryption protocols are used?
  15. Do you may have a coverage relating to the usage of moveable media gadgets and laptops and the procedures to be adopted within the occasion of their loss?
  16. Do you may have established protocols for dwelling working together with the transportation of knowledge to dwelling websites?
  17. Is your knowledge retention and destruction coverage clear, and consistent with the necessities of GDPR while being balanced in opposition to different probably conflicting legislative necessities regarding knowledge retention such because the Cash Laundering Rules?

Free Information Security Training Presentation

E. Knowledge minimisation

The next questions relate to knowledge minimisation and storage of the non-public knowledge that’s processed by your workforce

  1. Is the gathering of your buyer’s private knowledge restricted to what’s mandatory for the aim of processing knowledge?
  2. Is there a evaluate or sign-off of your utility kind/knowledge assortment mediums, designed particularly to substantiate solely important knowledge is collected, processed and saved?
  3. Have you learnt if a retention coverage is being utilized i.e. this private knowledge is being erased as soon as the aim of processing is full?
  4. Do you may have a process in place, or may you fulfill a request from a buyer to limit the processing of beforehand obtained knowledge, that’s not thought of mandatory for the aim of processing knowledge?
  5. How are you ready to steadiness the requirement to solely acquire/course of knowledge that’s restricted to the aim of processing, in opposition to different conflicting items of laws?
  6. Are you and your workers geared up to determine info that’s obtained, but not mandatory for the aim of processing, and delete or stop the recording this info, for instance, knowledge revealed throughout a recorded phone dialog with a buyer, or notes made throughout a buyer evaluate, however upon reflection aren’t required?
  7. The place extreme knowledge is famous as being current, but is embedded inside different related textual content or info, do you may have strategies of eradicating or redacting the pointless knowledge? (Lord Sugar cheque as a foul instance of redaction)
  8. Do you align your knowledge assortment and processing procedures in opposition to the lawful causes of processing, i.e. to serve a authorized or contractual obligation or being within the important pursuits of the person?

How to Manage Data Subject Requests

F. Knowledge topic rights

The next questions relate to the rights of people whose private knowledge is processed by your workforce

  1. Have you learnt if people are knowledgeable of the aim and lawful foundation below which the processing of their knowledge happens?
  2. How does this notification happen? (whether or not through our privateness discover or in any other case)?
  3. Is the notification in plain English, so comprehensible to the non-expert?
  4. Are your notifications (and different related info) out there in a translated format for non-English talking prospects and/or in different mandatory codecs equivalent to Braille?
  5. Does your workforce have programs, procedures and coaching to adjust to people’ Proper of Entry?
    1. Have you ever eliminated any reference to a charge being charged for an information topic entry request?
    2. To refuse to answer a request would require you to show to the requesting social gathering that their entry request was manifestly unfounded, who shall be liable for making such a call?
    3. The place info that needs to be launched below an entry request is embedded amongst different buyer’s info, do you may have the means to both extract the related info or appropriately redact the non-relevant info? (Lord Sugar’s cheque being an instance of poor redaction)
  6. Does your workforce have programs, procedures and coaching to adjust to people’ Proper to Rectification?
    1. GDPR requires that wrong knowledge is rectified with out undue delay, can your programs reply with effectivity to exhibit this?
    2. Are your workers skilled to determine and steadiness the wants and necessities regarding rectification to different issues regarding retention, evidential functions for instance? i.e. understanding when to rectify and to not, or to hunt steering
  7. Does your workforce have programs, procedures and coaching to adjust to people’ Proper to Erasure?
    1. Are you able to effectively determine all digital and paper-based information regarding a buyer, regardless of the place and the way they could be saved or positioned?
    2. Are your programs capable of erase buyer knowledge, completely?
    3. Are your workers skilled to determine and steadiness the wants and necessities regarding erasure to different issues regarding required knowledge retention, evidential functions for instance? i.e. understanding when to erase and when to not, or to hunt steering
    4. How may you proof to the information topic, if required, that their knowledge has been deleted?
  8. Does your workforce have programs, procedures and coaching to adjust to people’ Proper to Limit Processing?
    1. Do your programs permit for the ringfencing of sure knowledge or knowledge units, stopping that knowledge from use?
    2. Are your workers skilled and capable of recognise the distinction between a rectification, erasure, objection and restricted processing request?
    3. Do you may have a guidelines for employees use, to evaluate a restricted processing request in opposition to, which particulars the 4 causes below which a topic can request a restriction of processing, to make sure that processing is not incorrectly or inappropriately restricted?
  9. Does your workforce have programs, procedures and coaching to adjust to people’ Proper to Object?
    1. Do your programs permit for one buyer’s knowledge to be remoted, extracted or faraway from lively processing upon their request?
    2. Does an objection from processing cross over all departments in your agency, not simply operational, however advertising and marketing, name centres and counter workers for instance?
  10. Does your workforce have programs, procedures and coaching to adjust to people’ Rights associated to automated decision-making together with profiling?
    1. Do you may have a guide system and skilled sources out there to exchange an automatic decision-making software?
    2. Do you may have the useful resource functionality to deal with a number of requests of this nature?
    3. Is consideration given to how you’ll proof to a knowledge topic {that a} guide evaluate and evaluation was made when such reaches the identical conclusion and determination?

Free GDPR Fundamental Rights Poster

G. Knowledge breaches

The next questions relate to private knowledge breaches

  1. Does your workforce have programs, procedures and coaching to recognise private knowledge breaches?
  2. Does your workforce know when and whom to report private knowledge breaches inside our Firm?
  3. Does your organization have an information breach response protocol, with consideration given to the next?
    1. Recording the date, time and placement of the breach and the date, time and placement of when the breach was recognized
    2. Recording the date and time that the suitable breach notification process was invoked, together with when a response protocol was initiated, equivalent to response efforts
    3. When to alert related personnel (together with any exterior) to start executing breach response protocols
    4. Provoke related inner and exterior (knowledge topics, media and so forth) communications, the place mandatory being suggested by your authorized and press departments. Keep in mind what’s or is not mentioned can have an effect in your repute
    5. Safe any affected IT programs to protect proof and await any forensic evaluation groups required
    6. Learn how to minimise knowledge loss/breaches and stop additional loss/breaches
    7. Interview these concerned in discovering the breach
    8. Report back to the police if mandatory
    9. Report back to the information safety supervisory authority (inside 72 hours of breach prevalence)
    10. Notifying senior administration/board
    11. Hold each step documented
    12. At completion, debrief the response protocol to make sure it was environment friendly, enough and match for goal.
    13. Testing of the breach response protocols with a “mock” breach incident

Biggest Ever Data Breach Fines

H. Contracts & suppliers

The next questions relate to the usage of contractors or vendor suppliers

  1. Does your organization use any contractors or vendor suppliers?
  2. Is any buyer knowledge transferred to, or accessible by these contractors or vendor suppliers?
  3. As a part of your procurement course of, does your organization study the provider’s knowledge safety coverage?
  4. Who in your organization critiques such a coverage? Are they skilled and sufficiently certified to take action?
  5. Is there an information breach indemnity between your two corporations? In whose favour does the indemnity run?
  6. Does your organization have agreed on protocols with the contractor or vendor provider, detailing your expectations regarding knowledge minimisation?
  7. Does your organization have agreed on protocols with the contractor or vendor provider, detailing your expectations regarding how they might execute an information processing restriction?
  8. Does your organization have agreed on protocols with the contractor or vendor provider, detailing your expectations regarding how they might execute an information objection discover?
  9. Does your organization have agreed on protocols with the contractor or vendor provider, detailing your expectations regarding how they might execute a proper to be forgotten?
  10. Is your contractor or vendor provider positioned abroad? What’s the adequacy of the information safety regime in that nation?
  11. Is your organization the information processor? In that case, are you clear on the necessities of your appointing knowledge controller?
  12. Do your contracts with the contractors or vendor suppliers (or your appointing knowledge controller) require updating?
  13. Does your organization run any formal high quality assurance programmes in opposition to the revealed knowledge safety coverage of the contractor or vendor provider?
  14. Does your organization run casual high quality assurance testing of the contractor or vendor provider knowledge safety procedures, equivalent to thriller procuring?
  15. Has your organization agreed on an information retention and knowledge destruction coverage with the contractor or vendor provider?
  16. Does the contractor or vendor provider’s IT system permit for knowledge portability?
  17. Is there a proper contract/processing evaluate in place?

Free GDPR Training Presentation

I. Human sources

The next questions relate to your HR division

  1. Is your HR division conscious that every worker is an information topic and that GDPR applies to the gathering, processing, storage and deletion of worker knowledge in addition to buyer knowledge?
  2. Has your HR division mapped workers knowledge in the identical method as this questionnaire requires for buyer knowledge? I.e. an information topic’s rights, use of third-party contractors, minimisation of knowledge, rights to object or prohibit and so forth.?
  3. Are staff supplied with a good processing discover?
  4. Are staff capable of object to their knowledge being despatched abroad to a father or mother or related firm with the group?
  5. Will your organization want to make use of binding company guidelines for worker knowledge processing?
  6. Will contracts of employment require modification?
  7. Will your HR division must receive revised processing consent for all current and previous staff – keep in mind, they’re thought of to be processing knowledge even when they’re solely storing it
  8. Does or will your HR division view, use or take into account the content material on staff’ or future staff’ social media websites, for functions equivalent to checking the legitimacy of sick days, or assessing character suitability for a job?
  9. Do your workers employment contracts permit for social media knowledge for use for business functions?
  10. Do your job utility types or related important literature require consent from a possible worker to evaluate their social media websites, and to make use of any info contained therein as a part of the recruitment course of?

GDPR Compliance Tips for Sharing Data

J. Abroad transfers

The next questions relate to the switch of buyer knowledge or processing of it abroad.

  1. Does your organization switch any buyer knowledge abroad?
  2. If sure, is the nation of receipt throughout the EU?
  3. Does your organization use any contractor or vendor suppliers?
  4. Does that firm switch buyer any knowledge abroad?
  5. If sure, is the nation of receipt throughout the EU?
  6. Are binding company guidelines utilised?
  7. By what technique is the shopper knowledge transferred abroad?
  8. Are acceptable sturdy encryption controls utilised?
  9. Is buyer consent at all times sought and obtained earlier than any abroad switch of knowledge exists, i.e. by a good processing discover and consent declaration?
  10. What programs and controls exist round transfers of knowledge abroad and which suitably skilled and certified particular person critiques and authorises these controls?

GDPR Self Assessment Questionnaire

Wish to be taught extra about GDPR?

That can assist you plan and execute compliance in your organisation, we’ve created a complete GDPR roadmap.

Our greatest-selling Compliance Necessities Library and award-winning LMS present a one-stop compliance coaching resolution, together with GDPR compliance e-learning.

And our searchable GDPR compliance glossary explains key phrases and commonly report on learnings from the biggest compliance fines ensuing from regulatory breaches.

We even have 100+ free compliance coaching aids, together with assessments, greatest observe guides, checklists, desk aids, eBooks, video games, posters, coaching displays and even e-learning modules!

If you would like to remain updated with GDPR greatest practices, business insights and key developments throughout regulatory compliance, digital studying, EdTech and RegTech information, subscribe to the Skillcast Compliance Bulletin.

Final however not least, you possibly can work together in particular person with thought leaders and your friends at one in all our widespread reside webinars and face-to-face occasions.

Should you’ve any questions or considerations about compliance or e-learning, please get in contact.

We’re blissful to assist!



Please follow and like us:
error5432
fb-share-icon0
Tweet 200
fb-share-icon3010

Leave a Reply

Your email address will not be published. Required fields are marked *