What should a GDPR audit include?

ANSWER

A GDPR audit should cover two areas: the formal/legal area and the technical/IT area.

Within the technical/IT area, the audit should include, among others:

• verification of the access control mechanisms used for IT systems;
• analysis of the adequacy of physical security measures, taking into account server rooms, archives, HR department premises, IT department premises, and accounting offices;
• review of the user access rights management process;
• verification of the backup management process;
• assessment of the security of workstations, mobile devices, storage media, and other devices;
• review of network communication security within LAN/WAN environments;
• verification of IT and physical security documentation;
• assessment of the level of knowledge and awareness of the organization's employees (e.g., online tests and in-depth interviews).

Within the formal/legal area, the audit should include:

• analysis of personal data processing activities for which the organization acts as a processor;
• assessment of the implementation of data subjects' rights;
• review of the policies and procedures governing personal data processing;
• analysis of personal data processing activities for which the organization acts as the data controller.