search
Where Thought Leaders go for Growth
Reference a solution

On the road to compliance with this 6-step RGPD audit method

On the road to compliance with this 6-step RGPD audit method

By Jennifer Montérémal

Published: 27 October 2024

Since 2016, the vast majority of businesses and organisations in the EU have been subject to the General Data Protection Regulation, better known as the GDPR.

This obligation has enabled the entities concerned to question the way in which they collect and process individuals' personal information, even as the internet has made its circulation more complex and multiplied.

But above all, professionals have had to integrate new processes into their day-to-day work to ensure compliance, starting with the RGPD audit.

What does it involve, and how do you go about it? And what help (human or software) can you rely on?

Take a look at our example of an RGPD audit 🔎.

What is an RGPD audit?

Definition of an RGPD audit

As a reminder, the RGPD (for General Data Protection Regulation) came into force with the aim of regulating, on a European scale, the collection, processing and management of personal data.

It concerns :

  • any entity (company, government body, non-profit association, etc.) located in the EU,
  • any entity located outside the EU but processing information from individuals residing in the European Union,
  • subcontractors and service providers handling data on behalf of other organisations.

The RGPD requires various processes to be put in place (obtaining explicit consent, applying the right to information, etc.). But compliance necessarily involves checking, at some point, what the entity's situation is in terms of compliance with its obligations.

👉 This is where the RGPD audit comes in.

However, there are two types of audit:

  • the initial audit, carried out at the start of the deployment of compliance operations,
  • the follow-up audit, carried out periodically, since compliance with the RGPD is part of an ongoing process.

🤓 Find out more on the subject in our article devoted to the 6 key stages and 3 tools for implementing your RGPD compliance.

The different types of diagnosis

To identify gaps and guide the corrective measures required for compliance, several diagnostics are carried out, both during the initial audit and during follow-up audits.

👉 The main ones are :

  • diagnostics of the information system and the various tools (software, for example) present in the organisation,
  • Diagnosis of the personal data collection and consent management process,
  • Diagnosis of the processing of this data (how is it used and for what purposes?),
  • a security audit, aimed in particular at protecting data against breaches and unauthorised access.

Why carry out an RGPD audit?

There are many reasons to carry out an RGPD audit, including the following:

  • to take stock of your current situation. This will enable you to identify any gaps between what is actually happening and what you need to do, so that you know what tasks need to be carried out to ensure compliance with the RGPD;
  • map your company's data and understand how it is processed, so you can manage it more effectively;
  • anticipate potential risks, and put in place the appropriate corrective measures.

Ultimately, the RGPD audit leads to the implementation of an action plan, itself broken down into a roadmap.

💡 Please note: while the audit is very much a legal exercise (beware of the penalties if you fail to comply!), let's not forget that controlling your data and being transparent help to maintain your organisation's reputation. Particularly at a time when the public are more careful about how their personal information is used!

How do you carry out a proper RGPD audit? The 6 key steps

Step 1: Audit the collection of personal data

Let's start with one of the main aspects regulated by the RGPD: the way in which personal data is collected.

At this stage, you need to:

  • draw up a list of all the sources and methods of collection used, e.g. web forms, cookies, etc,
  • check whether this collection is legitimate, i.e. whether it falls within the legal framework as agreed in Article 6 of the GDPR:
    • by consent,
    • by a contractual measure
    • compliance with a legal obligation,
    • if the processing is necessary to safeguard interests,
    • if the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority,
    • if the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

☝️ However, companies are primarily concerned by the issue of consent, which, according to the CNIL, must be :

  • free, i.e. not coerced or influenced
  • specific, dedicated to a given purpose
  • informed, which implies that Internet users must be fully informed,
  • unambiguous, leaving no room for ambiguity.

Stage 2: Auditing the information system

Here you need to take stock of all the tools and systems in your information system that use data in one way or another. For example, your software.

Then determine how this data behaves within the IS, and more specifically

  • what kind of data it is
  • where it is stored
  • how it circulates, both within and outside the company.

During this stage, we advise you to map your information system, to document the information relating to the data exchanged within the structure, but also the associated flows.

💡 Good to know: make your work easier by using a Single Data Repository, which centralises all the data on your customers, products or other entities.

Step 3: Audit data processing

Now it's time to understand how the data is being used. This involves asking two questions:

  • How is it actually used?
  • And for what purposes?

The fact that the RGPD requires a data processing register to be kept makes this analysis easier. In accordance with Article 30, this document must include the following information:

  • the purposes of the processing
  • a description of the categories of data subjects and the categories of personal data,
  • the categories of recipients to whom the data have been or will be disclosed,
  • where applicable, transfers of such data to a third country or to an international organisation,
  • the deadlines set for the deletion of the various categories of data,
  • a general description of the technical and organisational security measures put in place.

💡 Good to know: the processing audit is also a perfect opportunity to identify data not used by the company, and thus "do a bit of housekeeping", in line with the RGPD philosophy.

Step 4: Audit security

Comparable to a technical audit, this stage consists of ensuring that the data stored in the company is perfectly protected.

There are a number of points that will attract your attention. For example

  • the basic security measures deployed (antivirus, firewalls, intrusion detection, etc.) on all assets, be they hardware, software, the network, etc,
  • Appropriate management of access rights and authorisations, to ensure that only authorised people have access to specific information,
  • proper administration of passwords, in particular by adopting a dedicated policy,
  • data encryption,
  • regular back-ups, essential to ensure business continuity in the event of data loss,
  • raising awareness and even training employees in the protection of personal information and IT security in general.

💡 Note: this part of the diagnosis is generally accompanied by intrusion tests and an in-depth analysis of the procedures in place in the event of data leaks.

Stage 5: Drawing up the RGPD audit report and implementing the action plan

At the end of your audit, you should draw up a report listing the points that are compliant and those that are not. In this way, you can identify any discrepancies between what the regulations expect of you and reality.

Of course, it's important to put an action plan in place (and follow it!) so that you can get back on track quickly.

👉 This action plan includes the following information:

  • the nature of the work to be undertaken to remedy the shortcomings identified during the audit,
  • the prioritisation of these projects according to the seriousness of the shortcomings and their potential impact with regard to the RGPD,
  • the human resources to be mobilised for this project, with details of the roles and responsibilities of each person,
  • the roadmap, including the various stages, deadlines, milestones, etc.

Step 6: Carry out regular RGPD audits

If this is your first RGPD audit and you thought you'd stopped there... bad news: you're dealing with an ongoing process!

Staying compliant over the long term means carrying out regular diagnostics. While the frequency obviously depends on many factors, such as the size of your organisation, its complexity or changes in your market, carrying out this work at least once a year seems like a good start.

💡 Good to know: in the meantime, make sure that all the good practices that have been put in place (on collecting consent, for example) are maintained within the company. Hence the importance of fully training the teams involved in these issues.

Handling the RGPD audit: in-house or outsourced?

Since the RGPD audit requires technical and legal skills, some companies decide to use external professionals, such as DPOs (Data Protection Officers) or legal experts.

However, delegating RGPD audits in this way generates additional costs, and many organisations decide to carry out all the operations in-house. Especially as this work is made easier by the emergence of specialist software in the field, not just aimed at large groups.

👉 Witik, for example, handles all the processes associated with RGPD compliance for SMEs and ETIs. It therefore supports professionals in carrying out their audits, through customisable and comprehensive programmes (assessment of the various systems and media, your subcontractors, etc.). The software also manages the compliance action plan and team training.

What can I learn from the RGPD audit?

You have just read an example of a methodology for carrying out your RGPD compliance audit in the proper form, and making sure you don't forget any diagnosis: diagnosis of personal data collection, diagnosis of the information system, diagnosis of data processing and diagnosis of security.

While the procedure may not seem overly complicated, it does require rigour... and a fair amount of bandwidth! That's why we suggest that you automate these operations as far as possible, which inevitably means using specific software.

Thanks to these technologies, you can save time on your RGPD processes... time that you can devote, for example, to training your staff, the pillars of your compliance.

Article translated from French