search
Where Thought Leaders go for Growth
Reference a solution

On the road to compliance with this 6-step RGPD audit method

On the road to compliance with this 6-step RGPD audit method

By Jennifer Montérémal

Published: October 27, 2024

Since 2016, the vast majority of companies and organizations in the EU have been subject to the General Data Protection Regulation, better known by its short name RGPD.

This obligation has enabled the entities concerned to question the way in which they collect and process individuals' personal information, even as the internet has complicated and multiplied its circulation.

Above all, however, professionals have had to integrate new processes into their daily routine in order to ensure compliance, starting with the RGPD audit.

What does it involve and how do you go about it? What help (human or software) can you rely on?

Find out more in our RGPD audit example 🔎.

What is an RGPD audit?

Definition of an RGPD audit

As a reminder, the RGPD (for General Data Protection Regulation) came into force with the aim of regulating, on a European scale, the collection, processing and management of personal data.

It concerns:

  • any entity (company, government body, non-profit association, etc.) located in the EU,
  • any entity located outside the EU, but processing information on individuals residing in the European Union,
  • subcontractors and service providers handling data on behalf of other organizations.

The RGPD requires the implementation of various processes (collection of explicit consent, application of the right to information, etc.). But compliance necessarily involves checking, at some point, what the entity's situation is with regard to compliance with its obligations.

👉 This is where the RGPD audit comes in.

There are, however, two types of audit:

  • the initial audit, carried out at the start of the deployment of compliance operations,
  • the follow-up audit, carried out periodically, since RGPD compliance is part of an ongoing process.

🤓 Learn more on the subject in our article dedicated to the 6 key steps and 3 tools for implementing your RGPD compliance.

The different types of diagnostics

To identify gaps and guide the corrective measures required for compliance, several diagnostics are carried out, both during the initial audit and during follow-up audits.

👉 The main ones are

  • diagnosis of the information system and the various tools (software, for example) present in the organization,
  • Diagnosis of the personal data collection and consent management process,
  • Diagnosis of data processing (how data is used and for what purposes),
  • security diagnostics, aimed in particular at protecting data against breaches and other unauthorized access.

Why conduct an RGPD audit?

There are many reasons to carry out an RGPD audit, including the following:

  • to take stock of your current situation. You'll be able to identify any gaps between reality and your requirements, and know what tasks need to be carried out to ensure compliance with the RGPD;
  • map your company's data and understand how it is processed, so you can manage it more effectively;
  • foresee potential risks, and thus implement the appropriate corrective measures.

Ultimately, the RGPD audit leads to the implementation of an action plan, itself broken down into a roadmap.

💡 Good to know: while the interest of this audit is very much a legal one (beware of sanctions in the event of breaches!), let's not forget that data control and your transparency help to look after your organization's reputation. Particularly at a time when citizens are more careful about how their personal information is used!

How do you carry out a proper RGPD audit? The 6 key steps

Step 1: Audit the collection of personal data

Let's start with one of the main aspects regulated by the RGPD: how personal data is collected.

At this stage, you need to:

  • list all the sources and modes of collection employed, e.g. web forms, cookies, etc..,
  • verify whether this collection is legitimate, i.e., whether it falls within the legal framework as agreed by Article 6 of the RGPD:
    • by consent,
    • by a contractual measure,
    • by compliance with a legal obligation,
    • if the processing is necessary to safeguard interests,
    • if the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority,
    • if the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

☝️ However, companies are mainly concerned by the question of consent, which, according to the CNIL, must be :

  • free, i.e. not coerced or influenced,
  • specific, dedicated to a given purpose
  • enlightened, which presupposes that Internet users are fully informed,
  • unambiguous, leaving no room for ambiguity.

Step 2: Audit the information system

Here, you need to take stock of all the tools and systems in your information system that use data in one way or another. Your software, for example.

Then determine how this data behaves within the IS, and more specifically: what is its nature?

  • what kind of data it is
  • where it's stored,
  • how it circulates, both inside and outside the company.

During this stage, we advise you to map your information system, to document information relating to the data exchanged within the structure, but also to the associated flows.

💡 Note: make your work easier by using a Single Data Repository, which centralizes all data on your customers, products or other entities.

Step 3: Audit data processing

Now it's time to understand how your data is used. This involves two questions:

  • How is it actually used?
  • And for what purposes?

The fact that the RGPD requires a data processing register to be kept makes this analysis easier. In particular, in accordance with Article 30, this document must record the following information:

  • the purposes of the processing,
  • a description of the categories of data subjects and the categories of personal data,
  • the categories of recipients to whom the data has been or will be disclosed,
  • where applicable, transfers of such data to a third country or to an international organization,
  • the deadlines for deleting the various categories of data,
  • a general description of the technical and organizational security measures implemented.

💡 Namely: the processing audit is also a perfect opportunity to identify data not used by the company, and thus "do some housekeeping", in line with the RGPD philosophy.

Step 4: Audit security

Comparable to a technical audit, this step involves making sure that the data stored in the company is perfectly protected.

A number of points will then attract your attention. For example

  • basic security measures deployed (antivirus, firewalls, intrusion detection, etc.) on all assets, be they hardware, software, network, etc,
  • appropriate management of access rights and authorizations, to ensure that only authorized people have access to specific information,
  • proper administration of passwords, notably through the adoption of a dedicated policy,
  • data encryption,
  • regular backups, essential to ensure business continuity in the event of data loss,
  • raising awareness and even training employees in the protection of personal information and IT security in general.

💡 Please note: this part of the diagnosis is generally accompanied by penetration tests, as well as an in-depth analysis of the procedures planned in the event of data leaks.

Step 5: Draw up the RGPD audit report and deploy the action plan

At the end of your audit, you need to draw up a report recording the compliant and non-compliant points. In this way, you identify gaps between what the regulations expect of you and reality.

Of course, it's important to put an action plan in place (and follow it!) so that you can get back on track quickly.

👉 This action plan includes the following information:

  • the nature of the work to be undertaken to remedy the shortcomings identified during the audit,
  • the prioritization of these projects according to the seriousness of the shortcomings and their potential impact with regard to the RGPD,
  • the human resources to be mobilized for this project, with details of the roles and responsibilities of each person,
  • the roadmap, including the various stages, deadlines, milestones, etc.

Step 6: Conduct regular RGPD audits

If this is your first RGPD audit and you thought you'd stop there... bad news: you're dealing with an ongoing process!

Staying compliant over the long term means carrying out regular diagnostics. While the frequency obviously depends on many factors, such as the size of your organization, its complexity or changes in your market, carrying out this work at least once a year seems a good start.

💡 Good to know: in the meantime, make sure that all the good practices you've put in place (on collecting consent, for example) are maintained within the company. Hence the importance of fully training the teams concerned on these issues.

Handling the RGPD audit: in-house or outsourced?

Since RGPD audits require technical and legal skills, some companies decide to call on external professionals, such as DPOs (Data Protection Officers) or legal experts.

However, delegating RGPD audits in this way generates additional costs, and many organizations decide to carry out all operations in-house. Especially as this work is made easier by the emergence of specialized software in the field, not just aimed at large groups.

👉 Witik, for example, handles all the processes associated with RGPD compliance for SMEs and ETIs. It therefore supports professionals in carrying out their audits, through customizable and comprehensive programs (assessment of the various systems and supports, your subcontractors, etc.). The software also manages the compliance action plan and team training.

What can I learn from the RGPD audit?

You've just read an example of a methodology for carrying out your RGPD compliance audit in due form, and making sure you don't forget any diagnostics: personal data collection diagnostics, information system diagnostics, data processing diagnostics and security diagnostics.

While the procedure may not seem too complicated, it does require rigor... and a fair amount of bandwidth! That's why we suggest you automate these operations as far as possible, which inevitably involves the use of specific software.

Thanks to these technologies, you can save time on your RGPD processes... time that you can devote, for example, to training your employees, the pillars of your compliance.

Article translated from French