Audit of the GDPR how to carry out a compliance audit with the GDPR

A GDPR compliance audit is the first step towards ensuring the security of organisations in the area of personal data protection. The purpose of the audit is to properly identify the baseline, and.e. an accurate inventory of the information resources available and the ways in which they are processed and protected.

Ask about the offer.

GDPR Audit in the Formal and Legal Area

A reliable and documented assessment of the organisation's compliance with the audit report.
Precise recommendations to address any deficiencies or omissions in clauses, statements, records or procedures.
Proof to the OLAF President that the organisation regularly assesses the effectiveness of data protection measures.

Scope of formal and legal audits of the GDPR

Analysis of personal data processing processes for which the organisation is the data processor.

Implementation of the rights of data subjects, including:

right of access to personal data,
right to rectification and erasure of data,
right to be forgotten,
right to restriction of processing,
right to data portability,
right to object,
principles of automated individual decision-making.

Analysis of applicable personal data processing policies and procedures.

Analysis of personal data processing processes for which the organisation is the data controller, including:

compliance of processing with the law, fulfilment of the information obligation towards data subjects,
regulation of data entrustment for processing,
principles of transferring data to third countries or international organisations, data protection by design and by default.

Ask about the offer.

GDPR Audit in the Technical, IT and Organisational Area

Minimize the risk of data leakage by identifying and managing gaps in IT security.
The avoidance of penalties every fourth penalty imposed by the President of the OPCW refers to the absence of safeguards applied.
Demonstrating RODO compliance can increase the confidence of customers, partners and stakeholders in the organisation.

Scope of the technical and IT audit

Verification of access control mechanisms applied to IT systems.

Analysis of the adequacy of physical security measures, including: server rooms, archives, HR, IT and accounting departments.

Verification of the access rights management process.

Verification of the backup management process.

Examination of security measures for workstations, mobile devices, storage media and devices.

Verification of LAN/WAN network communication security.

Verification of IT and physical security documentation.

Assessment of the knowledge and awareness of the organisation's employees (online tests, in-depth interviews).

Ask about the offer.

How to carry out the RODO audit?
- the highest work standards

Our customers are served in accordance with international standards
and with the ODO 24 Auditor's Code of Ethics.

In accordance with the Code of Ethics, the ODA Auditor 24

Our data protection officer performs their work honestly, diligently and responsibly,

Adheres to legal and internal professional regulations,

Does not engage in any activity that could discredit the profession of Auditor or the company they represent,

Recognises and supports the goals of ODO 24, which are in compliance with the law and ethical principles,

Does not participate in any activities or enter into relationships that could compromise or call into question their audit objectivity,

Does not accept anything that could compromise or call into question their professional judgement,

Discloses all known facts that, if undisclosed, could distort the report on the activity under review,

Carefully uses and protects information obtained in the course of their duties,

Does not use information obtained for personal gain or in any manner contrary to the law or harmful to the organisation's objectives,

Undertakes to provide only those services for which they have the necessary knowledge, skills and experience,

Provides audit services in accordance with the requirements of the General Data Protection Regulation (GDPR), the Personal Data Protection Act and related legislation,

Continuously improves their knowledge, proficiency and professional effectiveness,

Ask about the offer.

What our customers say about our services

Marcin Wieczorek

Wojas

„I am very impressed with the high level of substantive expertise of the training staff"

From 13 to 17 March I attended the "Course for Information Security Administrators" organized by ODO 24 sp. z o.o. I am very impressed with the high substantive level of the training staff and the comprehensive program. Working as an ABI requires knowledge not only of legal provisions but also of IT matters, which ODO 24 took into account. Noteworthy is the curriculum, which gradually introduces increasingly advanced nuances of personal data protection, starting from the legal basics and ending with practical aspects of auditing and working with documents within a company. The complete set of materials, editable documents and publications I received will facilitate my daily work as an ABI. I can certainly recommend ODO 24 as a reliable partner offering training services of a high standard.

Magdalena Węglewska

Mazda

„We can wholeheartedly recommend ODO 24 as a professional and reliable partner"

For many years we have consistently placed great importance on the protection of the personal data of our customers as well as our employees. We took an active part in creating the "Code of Good Practice for the Protection of Personal Data of Customers and Potential Customers,” developed jointly by GIODO and the Polish Automotive Industry Association. Due to the complexity and variability of the rules on personal data protection, as well as Mazda’s dynamic development in Poland and the increasing volume of data we process, we decided to entrust the ABI function to a company specialized in this field. The decision to use the services of ODO 24 was primarily influenced by the experience and competence of the team of experts, the comprehensiveness of the offering and its flexibility in adapting to our organization. After a year of cooperation we can recommend ODO 24 as a professional and reliable partner.

Agnieszka Karłowicz

Spiżarnia

„A practical approach, continuous advisory availability, and positive working relationships"

We have been working with ODO24 for over a year. For us it has been a year of peaceful breathing and a sense of security: at least regarding personal data protection :-) The people at ODO are professionals who explain matters that are incomprehensible to the average person in an understandable way. They understand not only their profession but, which is very important to us, business and its requirements. A practical approach, constant advisory availability, and great relationships — all of this means I can recommend this Company to anyone who wants to work and sleep peacefully.

Tomasz Siwicki

Gefco

„I recommend the company ODO 24 as a professional partner"

For several years we have been cooperating with ODO 24 in the field of personal data protection. A professional team that efficiently helped us to comply with the requirements of the GDPR. We make use not only of the experts’ knowledge but also of professionally prepared e‑training, thanks to which we were able to train several hundred employees in a very short time. I highly recommend ODO 24 as a professional partner delivering services at the highest level.

See all references

External RODO audit in a company - questions and answers

What is a RODO audit?

A RODO audit is a comprehensive analysis of a company's processes with regard to compliance with personal data protection regulations. Specialists check how, in practice, the data of employees, clients or contractors are collected, processed and protected.

What does a RODO audit include?

A RODO audit is a detailed analysis of how your company processes personal data. It examines both business processes and technical safeguards as well as documentation.

•Analysis of data processing activities – we check whether data is collected lawfully, only to the extent necessary, and whether it is properly protected.
•Assessment of IT security – we verify the effectiveness of applied measures, such as encryption, firewalls, antivirus systems and updates.
•Review of documentation – we analyse privacy policies, terms and conditions, internal procedures and RODO registers.
•Checking consents and forms – we assess whether clauses are clear, voluntary and compliant with RODO.
•Checking cookies and websites – we verify whether the site correctly informs about cookies and obtains users' consents.

When is it worth conducting a RODO audit?

•Before implementation of new processes – so that they operate in compliance with the law from the outset.
•After changes are introduced – e.g. a new IT system, marketing tool or application.
•In the event of incidents – when a data leak or breach occurs.
•Regularly – preferably once a year, to respond to changing regulations and new threats.

Why is an RODO audit important?

•Proof of compliance with regulations – in case of an inspection you can demonstrate that you apply appropriate data protection measures.
•Risk identification – allows you to find gaps before UODO or a hacker does.
•Greater security – highlights areas requiring improvement and strengthens data protection.
•Building trust – shows clients and partners that your company takes privacy seriously.

What is an RODO compliance audit?

An RODO compliance audit is an independent assessment of an organisation's functioning with regard to personal data protection regulations. The combination of these two perspectives and competences (legal and IT) means that after the audit we are able to develop comprehensive personal data protection documentation and provide concrete recommendations – both legal‑organisational and related to IT security. According to the recommendations of the President of the Personal Data Protection Office, an RODO audit should be carried out regularly, e.g. once a year. The audit is conducted in the formal‑legal and technical‑informational (IT) areas. Our clients receive a professional service at a favourable price, compliant with international standards and with the ODO 24 Auditor's Code of Ethics.

What is the purpose of an RODO compliance audit?

An RODO compliance audit is the first step towards organisational security in the area of personal data protection. The aim of the audit is the correct determination of the baseline situation in the area of data protection – a precise inventory of the information assets held and the methods of their processing and protection.

What is the scope of an RODO formal-legal audit?

The RODO formal‑legal audit includes: an analysis of personal data processing activities in respect of which the organisation acts as a processor, the exercise of the rights of data subjects (including: the right of access to personal data, the right to rectification and erasure of data, the right to be forgotten, the right to restriction of processing, the right to data portability, the right to object, the rules on automated decision‑making in individual cases), an analysis of applicable personal data processing policies and procedures, an analysis of personal data processing activities in respect of which the organisation is a data controller (including: lawfulness of processing, fulfilment of the information obligation towards data subjects, arrangements for commissioning data for processing, rules for transferring data to third countries or international organisations, consideration of data protection in the design phase and data protection by default).

What is the scope of a technical and IT RODO audit?

A RODO audit in the technical and IT area covers: verification of the access control mechanisms used for IT systems, analysis of the adequacy of physical protections (including server rooms, archive, HR department rooms, the IT department and accounting), checking the process of access-rights management, verification of the backup management process, assessment of the security of workstations, mobile devices, media and devices, checking the security of communications in LAN/WAN, verification of ICT and physical security documentation, and checking the level of knowledge and awareness of the organisation’s employees (online tests, in-depth interviews).

What is the scope of a technical and IT RODO audit?

An audit of compliance with the General Data Protection Regulation (RODO) comprises several key stages that help an organisation assess and adapt its activities to the requirements of RODO implementation within the enterprise. Below are the main stages of this process:

•Analyses of documentation and policies: Auditors review documentation related to the processing of personal data, such as policies, procedures, privacy notices and contracts. The aim is to verify whether the documentation is complete, compliant with RODO requirements and whether it transparently informs stakeholders about data processing.
•Assessment of activities and processes: During the audit, the organisation’s personal data processing processes are analysed, including the collection, storage, transmission and deletion of data. Auditors assess the compliance of these processes with RODO principles, including data minimisation, purpose limitation and the right to be forgotten.
•Verification of data protections: Auditors assess the data protection measures in place, such as encryption, access control and event monitoring, to ensure they comply with RODO requirements regarding data protection.
•Assessment of incident response: The audit examines procedures and actions in the event of personal data breaches. The aim is to ensure the organisation has appropriate mechanisms to respond promptly to incidents and to report them to the relevant authorities.
•Training and employee awareness: Auditors check whether the organisation provides training on personal data protection for employees, and whether there is awareness among staff of RODO principles and the need to comply with them.
•Report and recommendations: After the audit, auditors prepare a report containing the audit findings, including identified non‑compliances with RODO and recommendations for corrections and improvements to data protection-related activities.

How to carry out a RODO audit in accordance with the latest regulations?

An audit should primarily be well prepared and planned. Auditors, before taking explanations from staff, should familiarise themselves with the documents in force within the organisation in order to understand how it operates. The audit interviews themselves should be conducted in a cooperative atmosphere, because both parties are working towards the same objective – they both care about the security of personal data. Of course, each auditor should conduct the audit within their area of competence - law or IT - so that ultimately our client receives a reliable and factually accurate summary answering the question of whether your organisation is RODO‑compliant, and if not, what needs to be done to achieve compliance.

What is a RODO compliance audit checklist?

The checklist for an audit carried out by ODO 24 consists of the following elements: obligations of the data controller (ADO), obligations of the Data Protection Officer (DPO), processing activities for which you are the data controller (ADO), processing activities for which you are the data processor, IT security. On our course for the Data Protection Officer (DPO) you will receive the RODO checklist. In this training we will teach you how to conduct a RODO compliance audit.

Comprehensive RODO compliance audit

You can tailor the scope of an external RODO compliance audit to your needs. A comprehensive RODO compliance audit includes: an initial remote audit, a RODO compliance audit of the website, a RODO compliance audit of mailing campaigns, contests, a RODO compliance audit of the recruitment process, an audit of DPO documentation, an audit of cooperating entities that process data. The price of a comprehensive RODO compliance audit may vary depending on many factors, such as company size, the number of personal data processed, the type and volume of data processed, the sophistication of IT systems, the number of employees, the scope of audit-related work and many other factors. A competitive price for a comprehensive RODO compliance audit should be dependent on the specific needs and requirements of the company, while offering value that outweighs the costs. It is worth ensuring that you choose an experienced and reliable company that will conduct the audit in accordance with the highest standards and with RODO requirements.

What does a RODO audit report include?

We understand that the business environment in which our clients operate is dynamic, and their priorities sometimes change. An audit report is a reliable and documented assessment of an organisation's compliance with RODO, containing detailed recommendations on how to remedy any gaps or deficiencies in clauses, notices, records or procedures. A RODO audit report constitutes evidence for the President of the Polish Data Protection Authority (Prezes UODO) that the organisation regularly and reliably assesses the effectiveness of data protection measures. A good quality-to-price ratio in this case means that the client pays a reasonable price for a valuable report.

How much does a RODO audit cost?

Fees can vary widely. They depend on the type of activity, the size of the organisation, the territorial scope of operations and also on the scope of specific actions. We can give a definitive answer to this question once we have established basic information, which is why we encourage you to send a quote request.

What should I do if I have not found an answer to my question?

Use the contact form and send us your question. You will receive a reply within 24 hours on business days.