Our GDPR compliance audit checklist will help you establish effective GDPR procedures and controls or serve as a benchmark for your existing processes.
We know it's a long list - but it needs to be! Don't worry if you need to refer to it later; you can just download our PDF questionnaire.
GDPR procedures & controls to audit
- Lawful processing
- Data security
- Data minimisation
- Data subject rights
- Data breaches
- Contracts & suppliers
- Human resources
- Overseas transfers
The following questions relate to how well-prepared your governance and systems and controls are regarding GDPR. This questionnaire may go into more detail on some of these topics as you go through it.
- Do you understand what personal and special categories of personal data mean to your firm?
- Do you have board support or endorsement for all matters pertaining to data protection and compliance with the GDPR?
- Do you have a new or revised data protection policy?
- Has a Data Protection Officer been appointed of sufficient knowledge and experience and with autonomy to implement GDPR as required within your firm, and with direct access to the board (or equivalent)?
- Has a Data Protection Impact Assessment been completed and is a plan to address any deficiencies drawn up?
- Is your firm registered with the local data protection supervisory authority, and does your declared data use noted with them need to be updated or amended?
- Have you reviewed your usage and contracts with third-party suppliers and vendors to whom customer data may be passed or who may have access to your systems that contain customer data?
- Do you have an appropriate data breach reporting procedure? Do your staff know how to report a breach and whom to report it to?
- Do you have a data breach response protocol in place? Establishing a pre-planned approach to the initial and ongoing management of a data breach
- Are data breaches reportable via your Whistle Blowing process?
The following questions relate to your overall understanding of GDPR obligations.
- Are you aware of all your obligations under GDPR?
- Do you believe that any employees reporting to you are aware of their obligations under GDPR?
- Do you believe that your peers in other key decision-making positions are aware of their obligations under GDPR?
- Do you understand what personal and special categories of personal data mean to your firm?
- Can you demonstrate that you have clear and explicit consent from your customers to hold and process the data you hold now?
- Have you sent new fair processing notices to your customers, advising them of their new rights under GDPR, such as objecting or restricting processing, the right to be erased and the portability of their data?
- Have you established clear links with your marketing/product development areas to ensure privacy by design?
- Are you reviewing your website privacy terms and consents?
- Have you mapped a customer journey to identify all data touchpoints, enabling you to exercise a customer's right to be forgotten with ease and confidence?
- Have you a mechanism in place enabling breach identification and reporting within 72 hours of occurrence?
C. Lawful processing
The following questions relate to the lawful basis of processing personal data by your team.
- Do you understand where your customer data is?
- Do you know where your customer data comes from?
- Where does customer data go around your company, and how does it travel?
- Do you know of all types of personal data being processed by your team and the purpose(s) of processing?
- Have you considered if this processing is necessary for the relevant purpose?
- Do you know of the lawful basis on which this data is collected and processed?
- Do you know whether the purpose(s) of processing and the lawful basis is documented in your privacy notice?
- In case the lawful basis for processing is Consent, are you sure that a record is being kept of when and how we obtained consent from the individual, and what they were told about how and why we would process their data at the time?
- Is customer consent obtained via a clear and standalone statement or document, rather than being part of a wider and unrelated set of terms and conditions or declarations?
- Have you got a process for notifying a customer that we need to change or add to the reasons that we currently process their data, explaining why and obtaining their consent for this change?
- Do you know when and whom to ask for a data protection impact assessment (DPIA)?
- How do you manage data classification and communications? How is special category data treated compared to personal data? Are there any additional controls or access restrictions that you apply?
- Have you issued fair processing notices to your customers?
- Do you identify child account business separately from all other accounts?
- How are you demonstrating that where appropriate (aged 13 in the UK) that you have child consent for processing their data and that this consent is suitably informed?
D. Data security
The following questions relate to the security (confidentiality, integrity and availability) of the personal data is processed by your team
- Would you be able to evidence that your team has taken measures to protect this personal data from external threats?
- Would you be able to evidence that your team has taken measures to protect this personal data from internal threats?
- Do you clearly communicate to your staff that data theft or misuse of customer data in any way is strictly prohibited and the consequences of such activity could be instant dismissal and even criminal prosecution?
- Do you have clear internal policies and training in relation to areas of computer misuse, electronic communications, safeguarding personal data on social media and information security?
- Do you have a record of who (departmental or individual) has access to customer data in your department and their need for this?
- How do you manage internal staff movement, cloned computer access and access revision and control? How is temp or contract workers' computer access controlled?
- Does your internal training clearly demonstrate the serious impact of unauthorised data access or loss, by linking data theft, identity fraud, account take over and money laundering?
- Do you have a clear and easy-to-use breach reporting mechanism?
- Can one of your team report any concerns relating to data security, confidentially via your Whistle Blowing procedures?
- Do you have adequate firewalls and virus protection installed?
- Do you have clear password policies within your firm, i.e. required length, complexity and expiration times?
- Are controls such as a clear desk policy and locked confidential waste bins employed?
- Where are your servers located?
- What encryption protocols are used?
- Do you have a policy regarding the use of portable media devices and laptops and the procedures to be followed in the event of their loss?
- Do you have established protocols for home working including the transportation of data to home sites?
- Is your data retention and destruction policy clear, and in line with the requirements of GDPR whilst being balanced against other potentially conflicting legislative requirements relating to data retention such as the Money Laundering Regulations?
E. Data minimisation
The following questions relate to data minimisation and storage of the personal data that is processed by your team
- Is the collection of your customer's personal data limited to what is necessary for the purpose of processing data?
- Is there a review or sign-off of your application form/data collection mediums, designed specifically to confirm only essential data is collected, processed and stored?
- Do you know if a retention policy is being applied i.e. this personal data is being erased once the purpose of processing is complete?
- Do you have a procedure in place, or could you satisfy a request from a customer to restrict the processing of previously obtained data, that is no longer considered necessary for the purpose of processing data?
- How are you prepared to balance the requirement to only collect/process data that is limited to the purpose of processing, against other conflicting pieces of legislation?
- Are you and your staff equipped to identify information that is obtained, yet not necessary for the purpose of processing, and delete or cease the recording this information, for example, data revealed during a recorded telephone conversation with a customer, or notes made during a customer review, but upon reflection are not required?
- Where excessive data is noted as being present, yet is embedded within other relevant text or information, do you have methods of removing or redacting the unnecessary data? (Lord Sugar cheque as a bad example of redaction)
- Do you align your data collection and processing procedures against the lawful reasons of processing, i.e. to serve a legal or contractual obligation or being in the vital interests of the individual?
F. Data subject rights
The following questions relate to the rights of individuals whose personal data is processed by your team
- Do you know if individuals are informed of the purpose and lawful basis under which the processing of their data occurs?
- How does this notification occur? (whether via our privacy notice or otherwise)?
- Is the notification in plain English, so understandable to the non-expert?
- Are your notifications (and other relevant information) available in a translated format for non-English speaking customers and/or in other necessary formats such as Braille?
- Does your team have systems, procedures and training to comply with individuals' Right of Access?
- Have you removed any reference to a fee being charged for a data subject access request?
- To refuse to respond to a request would require you to prove to the requesting party that their access request was manifestly unfounded, who will be responsible for making such a decision?
- Where information that should be released under an access request is embedded amongst other customer's information, do you have the means to either extract the relevant information or appropriately redact the non-relevant information? (Lord Sugar's cheque being an example of poor redaction)
- Does your team have systems, procedures and training to comply with individuals' Right to Rectification?
- GDPR requires that inaccurate data is rectified without undue delay, can your systems respond with efficiency to demonstrate this?
- Are your staff trained to identify and balance the needs and requirements relating to rectification to other matters relating to retention, evidential purposes for example? i.e. knowing when to rectify and to not, or to seek guidance
- Does your team have systems, procedures and training to comply with individuals' Right to Erasure?
- Can you efficiently identify all electronic and paper-based records relating to a customer, no matter where and how they may be stored or located?
- Are your systems able to erase customer data, totally?
- Are your staff trained to identify and balance the needs and requirements relating to erasure to other matters relating to required data retention, evidential purposes for example? i.e. knowing when to erase and when not to, or to seek guidance
- How could you evidence to the data subject, if required, that their data has been deleted?
- Does your team have systems, procedures and training to comply with individuals' Right to Restrict Processing?
- Do your systems allow for the ringfencing of certain data or data sets, preventing that data from use?
- Are your staff trained and able to recognise the difference between a rectification, erasure, objection and restricted processing request?
- Do you have a checklist for staff use, to review a restricted processing request against, which details the four reasons under which a subject can request a restriction of processing, to ensure that processing isn't incorrectly or inappropriately restricted?
- Does your team have systems, procedures and training to comply with individuals' Right to Object?
- Do your systems allow for one customer's data to be isolated, extracted or removed from active processing upon their request?
- Does an objection from processing cross over all departments in your firm, not just operational, but marketing, call centres and counter staff for example?
- Does your team have systems, procedures and training to comply with individuals' Rights related to automated decision-making including profiling?
- Do you have a manual system and experienced resources available to replace an automated decision-making tool?
- Do you have the resource capability to handle multiple requests of this nature?
- Is consideration given to how you would evidence to a data subject that a manual review and assessment was made when such reaches the same conclusion and decision?
G. Data breaches
The following questions relate to personal data breaches
- Does your team have systems, procedures and training to recognise personal data breaches?
- Does your team know when and whom to report personal data breaches within our Company?
- Does your company have a data breach response protocol, with consideration given to the following?
- Recording the date, time and location of the breach and the date, time and location of when the breach was identified
- Recording the date and time that the appropriate breach notification procedure was invoked, including when a response protocol was initiated, such as response efforts
- When to alert relevant personnel (including any external) to begin executing breach response protocols
- Initiate relevant internal and external (data subjects, media etc) communications, where necessary being advised by your legal and press departments. Remember what is or isn't said can have an impact on your reputation
- Secure any affected IT systems to preserve evidence and await any forensic analysis teams required
- How to minimise data loss/breaches and prevent further loss/breaches
- Interview those involved in discovering the breach
- Report to the police if necessary
- Report to the data protection supervisory authority (within 72 hours of breach occurrence)
- Notifying senior management/board
- Keep every step documented
- At completion, debrief the response protocol to ensure it was efficient, sufficient and fit for purpose.
- Testing of the breach response protocols with a "mock" breach incident
H. Contracts & suppliers
The following questions relate to the use of contractors or vendor suppliers
- Does your company use any contractors or vendor suppliers?
- Is any customer data transferred to, or accessible by these contractors or vendor suppliers?
- As part of your procurement process, does your company examine the supplier's data protection policy?
- Who in your company reviews such a policy? Are they experienced and sufficiently qualified to do so?
- Is there a data breach indemnity between your two firms? In whose favour does the indemnity run?
- Does your company have agreed on protocols with the contractor or vendor supplier, detailing your expectations relating to data minimisation?
- Does your company have agreed on protocols with the contractor or vendor supplier, detailing your expectations relating to how they would execute a data processing restriction?
- Does your company have agreed on protocols with the contractor or vendor supplier, detailing your expectations relating to how they would execute a data objection notice?
- Does your company have agreed on protocols with the contractor or vendor supplier, detailing your expectations relating to how they would execute a right to be forgotten?
- Is your contractor or vendor supplier located overseas? What is the adequacy of the data protection regime in that country?
- Is your company the data processor? If so, are you clear on the requirements of your appointing data controller?
- Do your contracts with the contractors or vendor suppliers (or your appointing data controller) require updating?
- Does your company run any formal quality assurance programmes against the published data protection policy of the contractor or vendor supplier?
- Does your company run informal quality assurance testing of the contractor or vendor supplier data protection procedures, such as mystery shopping?
- Has your company agreed on a data retention and data destruction policy with the contractor or vendor supplier?
- Does the contractor or vendor supplier's IT system allow for data portability?
- Is there a formal contract/processing review in place?
I. Human resources
The following questions relate to your HR department
- Is your HR department aware that each employee is a data subject and that GDPR applies to the collection, processing, storage and deletion of employee data as well as customer data?
- Has your HR department mapped staff data in the same manner as this questionnaire requires for customer data? I.e. a data subject's rights, use of third-party contractors, minimisation of data, rights to object or restrict etc.?
- Are employees provided with a fair processing notice?
- Are employees able to object to their data being sent overseas to a parent or associated company with the group?
- Will your company need to use binding corporate rules for employee data processing?
- Will contracts of employment require amendment?
- Will your HR department needs to obtain revised processing consent for all present and past employees – remember, they are considered to be processing data even if they are only storing it
- Does or will your HR department view, use or consider the content on employees' or future employees' social media sites, for purposes such as checking the legitimacy of sick days, or assessing character suitability for a role?
- Do your staff employment contracts allow for social media data to be used for commercial purposes?
- Do your job application forms or associated essential literature require consent from a potential employee to review their social media sites, and to use any information contained therein as part of the recruitment process?
J. Overseas transfers
The following questions relate to the transfer of customer data or processing of it overseas.
- Does your company transfer any customer data overseas?
- If yes, is the country of receipt within the EU?
- Does your company use any contractor or vendor suppliers?
- Does that company transfer customer any data overseas?
- If yes, is the country of receipt within the EU?
- Are binding corporate rules utilised?
- By what method is the customer data transferred overseas?
- Are appropriate robust encryption controls utilised?
- Is customer consent always sought and received before any overseas transfer of data exists, i.e. through a fair processing notice and consent declaration?
- What systems and controls exist around transfers of data overseas and which suitably experienced and qualified person reviews and authorises these controls?
Want to learn more about GDPR?
We've created a comprehensive GDPR roadmap to help you navigate the compliance landscape, supported by a comprehensive library of GDPR Courses.
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, get priority access to our free online learning portal and other exclusive benefits.