Scribd
Upload
485 views7 pages

GDPR Audit Checklist

The document provides a GDPR audit checklist to assess an organization's compliance with GDPR. It covers transparency, controls, and privacy and provides criteria to audit these areas. It also discusses appointing a DPO, limiting data collection, and ensuring legacy systems can delete data upon request.

Uploaded by

B-iTServ Backup
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
485 views7 pages

GDPR Audit Checklist

The document provides a GDPR audit checklist to assess an organization's compliance with GDPR. It covers transparency, controls, and privacy and provides criteria to audit these areas. It also discusses appointing a DPO, limiting data collection, and ensuring legacy systems can delete data upon request.

Uploaded by

B-iTServ Backup
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

GDPR Audit Checklist

Contents

1. GDPR Audit Checklist


2. Transparency
3. Controls
4. Privacy
5. GDPR Compliance and Cyber-Duck

GDPR audit checklist © 2021 Cyber-Duck Ltd. All Rights Reserved 1


GDPR Audit Checklist
There’s only one way to ensure that your business is GDPR
compliant, and that’s by completing an audit of your entire
business infrastructure.

At Cyber-Duck, we measure your compliancy by assessing how


your business stands up in relation to three core principles of
GDPR: Transparency, Controls and Privacy. We also assess your
compliance with the Privacy and Electronic Communications
Regulations (PECR), GDPR’s partner legislation.

Following our audit, we then create an Action Plan which we will


use to transform your organisation and achieve GDPR and PECR
compliance.

GDPR audit checklist © 2021 Cyber-Duck Ltd. All Rights Reserved 2


Transparency
The GDPR aims to promote transparency and fairness regarding how organisations
operate. It does this by ensuring users know what data is collected from them and
why, which means you need legitimate purposes for collecting data.

Pass/
Audit Criteria Partial Pass/ Action Needed
Fail
Are privacy notices prominently
placed and clearly state data
practices?

Can users find your privacy policies easily?


Are they clear and easy to understand? You
may need to review your privacy policy in
light of GDPR.

In the event of a data breach, are


adequate procedures in place to
handle the scenario?

If your data infrastructure is breached, you


need a process to handle the situation.
Ensure you secure data, can identify breaches
quickly, and have suitable processes to report
breaches to the ICO in place.
.

Is consent obtained granularly via opt-in?

You must not bundle consent. Instead, your


users must opt-in to every data collection
practice you conduct, unless you have a
legitimate or public interest in obtaining the
data regardless. If this is the case, you must
be able to prove that you have that interest.

GDPR audit checklist © 2021 Cyber-Duck Ltd. All Rights Reserved 3


Pass/
Audit Criteria Partial Pass/ Action Needed
Fail
Does your cookie consent notice
comply with the latest GDPR guidance?

The EU has updated its guidance on cookie


consent. Cookie walls and implied consent
are out; consent must be explicitly given. You
should check that you’re still compliant even
if you were compliant in 2018.

Can your users easily choose which


cookies you may place on their devices?

Your users must have the option to select


which cookies are placed on their devices.
Rejecting cookies should be no harder than
accepting them.
Alternatively, consider anonymous server-side
tracking instead of browser cookies.

Controls
A major part of complying with GDPR is ensuring you have the appropriate controls in
place to limit violations. The best control that organisations have is to limit the data they
collect to what’s absolutely necessary for your business to function.

Pass/
Audit Criteria Partial Pass/ Action Needed
Fail
Have you appointed a Data Processing
Officer (DPO), or someone to manage
compliance and internal GDP training?

This individual will champion compliance


within your organisation. They will be
responsible for ensuring things like Subject
Access Requests and privacy by design is
implemented.

GDPR audit checklist © 2021 Cyber-Duck Ltd. All Rights Reserved 4


Pass/
Audit Criteria Partial Pass/ Action Needed
Fail
Does your Data Processing Officer
manage the compliance of third parties?

You must not bundle consent. Instead, your


users must opt-in to every data collection
practice you conduct, unless you have a
legitimate or public interest in obtaining the
data regardless. If this is the case, you must
be able to prove that you have that interest.

Do you know what legislation applies to


your data at each point in its journey?

You’ll need to know what regulations apply


to any collected, transferred or hosted data.
Building a data and compliance layer into
your service design blueprint can help you
map what legislation applies to the data at
every step.

Have you assessed all data to ensure


you only collect relevant data for
which you have a legitimate use?

Limiting data collection is crucial to achieving


GDPR compliance. If you don’t need to use
the data you collect, cease collecting it to
limit the risk of exposure in case of a breach.

Have you ensured that you can access


all legacy systems to remove data if
required?

Users have the right to ask you to delete


all data you hold on them. You must review
all your dated systems to ensure you know
where all data is kept and who it’s shared
with. That way, when users want to delete
data, or amend it for accuracy, you can do so
quickly.

GDPR auditchecklist © 2021 Cyber-Duck Ltd. All Rights Reserved 5


Privacy
The final primary concern of GDPR is privacy. Arguably, it is the reason for the
regulation’s entire existence. You must protect the privacy of individuals by reviewing
your data practices.

Pass/
Audit Criteria Partial Pass/ Action Needed
Fail
Does your organisation feature privacy
by design?

Privacy by design is a driving principle of


GDPR. With it, you’ll integrate privacy best
practice with your internal structures and how
you store user data.

If relevant, can you anonymise or


pseudonymsise data to protect privacy?

In some scenarios, you can protect personal


data by anonymising it. For instance, if you
have a legacy system you can automate the
anonymisation of user data. This way, if there
is a data breach all seized data is anonymous
and users are protected.

Have you taken appropriate measures


to protect sensitive data?

Some data, like medical records, ethnicity,


and children’s data, is considered sensitive
and requires extra protection. You should
review your current practices to ensure you
have adequately protected it.

GDPR audit checklist © 2021 Cyber-Duck Ltd. All Rights Reserved 6


GDPR Compliance and Cyber-Duck
This is just a taster of what is needed to comply with the GDPR, but there’s so much
more you need to do. As a data controller or data processor, if you’ve struggled to
meet the criteria above, or you’re eager to ensure all aspects of your organisation
meet the standards of the GDPR, we’re here to help.

Cyber-Duck is a provider of specialist data services with extensive expertise in all


things digital. We complement your legal team and help protect your customer
data. We can also help you attain ISO 27001 in Information Security management.
Together, we’ll help you to achieve the highest standards of data protection. We can
also help you attain the ISO 27001 information management standard

Contact our data experts to find out more


+44 (0) 208 953 0070
hello@cyber-duck.co.uk

Revision control
This document was first published in 2018.
This version (v.2.0) was released in June 2021 and contains the following updates:
- A note that this document can be used to assess PECR as well as GDPR compliance
- Additional guidance on cookie consent notices and cookie choice for users
- Additional guidance on third-party compliance
- Additional guidance on the legislation that applies when data is captured, processed and hosted

GDPR audit checklist © 2021 Cyber-Duck Ltd. All Rights Reserved 7


5

GDPR audit checklist © 2021 Cyber-Duck Ltd. All Rights Reserved 1 GDPR Audit Checklist Contents 1. GDPR Audit Checklist 2
GDPR audit checklist © 2021 Cyber-Duck Ltd. All Rights Reserved 2 GDPR Audit Checklist There’s only one way to ensure tha
GDPR audit checklist © 2021 Cyber-Duck Ltd. All Rights Reserved 3 Transparency The GDPR aims to promote transparency and
GDPR audit checklist © 2021 Cyber-Duck Ltd. All Rights Reserved 4 Audit Criteria Pass/ Partial Pass/ Fail Action Needed D
GDPR auditchecklist © 2021 Cyber-Duck Ltd. All Rights Reserved 5 Audit Criteria Pass/ Partial Pass/ Fail Action Needed Do
GDPR audit checklist © 2021 Cyber-Duck Ltd. All Rights Reserved 6 Privacy The final primary concern of GDPR is privacy. A
GDPR Compliance and Cyber-Duck This is just a taster of what is needed to comply with the GDPR, but there’s so mu more you n

You might also like