GDPR audit. Create a roadmap to GDPR compliance

Many IT companies have very complicated structure of processing of personal data from a GDPR point of view. Often such companies do not conduct the audit of their data processing activities and thus prepare initially wrong GDPR compliance plan.

We have implemented GDPR audit procedure to properly analyze the clients’ personal data processing practices and create accurate roadmap to GDPR compliance.

What is GDPR audit?

GDPR audit is an analysis of the personal data processing practices of your company that helps to establish all GDPR requirements applicable in your case and identify the possible pitfalls for further GDPR compliance process.

You receive three main documents after the end of GDPR audit:

Audit and Gap Assessment	Complex document providing the results of audit. It specified which GDPR provisions are applicable to you, whether your processing activities comply with such provisions or not and recommendations regarding the technical and organizational measures you should implement to eliminate the privacy flaws available
Data Flow Map	Visualization of your data processing activities. It provides sources from which you receive the personal data, what processing operations are these data involved into, e.g. storage, processing for marketing purposes, deletion, compilation etc., to whom you transfer such data, what roles do you have under GDPR, i.e. processor or controller etc.
Action Plan	Plan containing successive steps for preparing and structuring GDPR documents for your company. It summarizes the conclusions of Audit and Gap Assessment and Data Flow Map and provides you with a plan of actions that assists your company in allocation the resources and planning the next steps to achieve GDPR compliance

Below is a simple generic example of Data Flow Map of small B2C product company:

What are the benefits of GDPR audit?

GDPR audit helps you to face reality of how your company processes personal data. We consider that to prepare the GDPR documents and initiate GDPR compliance procedure without conducting the GDPR audit is as unreasonable to as move in the complete dark only gropingly.

GDPR audit allows you to:

• consolidate information on the protection of personal data to facilitate the development of GDRP documents; 
• rationally allocate resources for GDPR compliance, e.g. wisely allocate time for the development of GDPR documents and time of employees who are involved in the development of such documents;
• avoid numerous amendments resulting from the lack of full scope of information at the very beginning;
• build priorities and clear stages of implementation and introduction of GDPR documents and procedures regard to data processing activities;
• introduce the necessary information and details to the management and team leaders responsible for training and GDPR compliance of staff;
• indicate the possible flaws that should be periodically audited and updated subject to introducing new regulations, policies etc.

How to conduct GDPR audit?

GDPR audit includes several simple steps involving cooperation between your company and GDPR advisers. A well-developed GDPR audit mechanism allows both parties to minimize the time of its conduct as much as possible. 

Steps of GDPR audit are:

Step 1. Questionnaire:

• Introductory call/online meeting to basically discuss and understand your work specifics;
• You provide the answers in the questionnaire created personally for you taking into account the specifics of your company, e.g. IT outsourcing company or product company, B2B or B2C company etc.;
• Analysis of your company’s website, mobile app, public information regarding your known contractors etc. to clarify the data processing activities you are involved in.

Step 2: Focused discussion of your case:

• GDPR advisers conduct preliminary comparison and comprehensive analysis of answers from questionnaire and gathered information;

• You provide clarifications regarding certain aspects of  your data processing mechanics which remained unclear after analysis of questionnaire;
• Final status regarding your data processing mechanics before starting the preparation of documents.

Step 3: Preparation of GDPR documents:

• Based on results of previous discussions and answers, preparation of Data Flow Map;
• Based on Data Flow Map, preparation of Audit and Gap Assessment;
• Preparation of Action Plan considering the prepared documents and previously gathered information.

Step 4: Delivery and discussion of GDPR audit results:

• Delivery of prepared documents and provision of explanations regarding the results of GDPR audit;
• Conclusive call/online meeting to discuss the remained questions, clarify certain pieces of audit results and discuss the implementation of the Action Plan.

Successive and the most important step after the completion of GDPR audit is the preparation of necessary GDPR documents and implementation of Action Plan taking into account results of the GDPR audit. Without this step, company would not be able to achieve GDPR compliance.

Additionally, we want to emphasize on the importance of GDPR audit for complicated projects, for example:

• data broker companies;
• traffic arbitrators;
• data enrichment/progressive profiling projects;
• companies who process medical, biometrical and other sensitive data etc.

GDPR provides serious data processing and security requirements, therefore such procedure as GDPR audit will help you to assess the privacy issues in your company, determine the major and minor flaws from GDPR requirements and create a roadmap to GDPR compliance personalized for your case.