GDPR Compliance Audit — How to Conduct a Comprehensive Data Protection Audit

A GDPR compliance audit is a systematic review of personal data processing activities within an organisation, designed to assess whether the company meets the requirements of the data protection regulation. It is not a one-off exercise from 2018 — it is a process that should be repeated regularly, as business processes, technologies, and the legal environment are constantly evolving.

Analysis of UODO decisions clearly shows that organisations conducting regular audits face significantly lower risk of fines — and if a breach does occur, a documented management system is a mitigating factor. Conversely, the absence of audits, outdated documentation, and superficially implemented procedures is the pattern UODO most frequently encounters in organisations receiving the highest fines.

This article explains how to conduct a GDPR audit step by step — from process inventory, through gap analysis, to a report with recommendations.

When to Conduct a GDPR Audit

A GDPR audit is advisable in the following situations:

Initial audit — the organisation has never conducted a comprehensive compliance audit. Even if GDPR was implemented in 2018, processes may have changed significantly over the years.

Periodic audit — best practice is to conduct an audit at least once a year. The frequency may be higher in organisations processing special category data or data on a large scale.

Post-incident audit — after a data breach, to identify the root cause and prevent recurrence.

Pre-implementation audit — before launching a new IT system, service, or processing activity — to ensure compliance from the outset (privacy by design).

Pre-inspection audit — if the organisation anticipates a UODO audit (e.g., due to complaints, incidents, or being in a sector covered by UODO’s inspection plan).

Regulatory change audit — following the entry into force of new legislation (e.g., AI Act, NIS2) or significant changes in GDPR interpretation (new EDPB guidelines, CJEU rulings).

Who Should Conduct the Audit?

A GDPR audit may be conducted internally (by the DPO or compliance team) or externally (by a law firm, consultancy, or independent auditor). Each approach has its advantages:

Internal audit — the DPO or compliance team knows the organisation from the inside and has easy access to information and processes. The downside is the risk of lack of objectivity (auditing one’s own procedures) and potential gaps in specialist knowledge in certain areas.

External audit — ensures independence, objectivity, and often a broader perspective (the auditor sees practices across many organisations). It is particularly valuable as a “second pair of eyes” — verifying what the DPO considers compliant. The downside is cost and the need to familiarise the auditor with the organisation.

Optimal approach — a combination: regular internal audits (e.g., quarterly reviews of specific areas) supplemented by an annual comprehensive external audit.

Scope of a GDPR Audit — What Do We Check?

A comprehensive GDPR audit should cover the following areas:

1. Processing Activity Inventory

The starting point of every audit — identifying all processes in which the organisation processes personal data. The auditor verifies: whether a Record of Processing Activities (ROPA) exists and is current, whether all processes are captured, and whether there are any “shadow” processing activities the organisation is unaware of (e.g., Excel spreadsheets with customer data on employee desktops, unofficial contact databases).

2. Legal Bases for Processing

For each process identified in the ROPA, the auditor checks: whether a specific legal basis under Article 6 GDPR is identified (and Article 9 for special category data), whether the legal basis is correctly selected (a common error: relying on consent where the proper basis is contract performance or legal obligation), whether consents meet GDPR requirements (freely given, specific, informed, unambiguous), and whether legitimate interest is documented with a balancing test (LIA).

3. Information Obligation

The auditor reviews privacy notices: whether separate notices exist for all groups of data subjects (customers, employees, candidates, contractors, website users), whether they contain all elements required by Articles 13/14 GDPR, whether they are written in plain language, whether they are delivered at the right time (at data collection), and whether a layered approach is used (particularly online).

4. Data Subject Rights

The auditor checks: whether the organisation has a procedure for handling data subject requests (access, erasure, rectification, portability, objection), whether it can fulfil a request within one month, whether employees know how to recognise a request and whom to refer it to, and whether documentation of handled requests is maintained.

5. Data Processing Agreements

The auditor verifies: whether a DPA has been concluded with every processor, whether agreements contain all required elements from Article 28 GDPR, whether sub-processors are regulated, whether the organisation conducts processor due diligence, and whether agreements are current (not drafted in 2018 and never updated).

6. Data Security (Article 32 GDPR)

The auditor assesses technical and organisational measures: encryption (at rest and in transit), access control (least privilege principle, MFA), password management, backups (frequency, recoverability testing), mobile device security (laptops, phones), network protection (firewall, IDS/IPS, monitoring), vulnerability and patch management, physical security (premises access, CCTV), and data destruction (paper and electronic).

7. Breach Procedure

The auditor checks: whether the organisation has an implemented breach response procedure, whether employees know how to report a suspected breach, whether the procedure accounts for the 72-hour UODO notification deadline, whether a breach register exists (including breaches not reported to UODO), and whether the procedure includes a risk assessment for individuals and a decision on notification.

8. DPIA

The auditor verifies: whether DPIAs have been conducted where required, whether DPIAs are current (regularly reviewed), whether the DPO was consulted, and whether identified risks have assigned mitigation measures.

9. DPO

The auditor checks: whether the organisation correctly assessed whether DPO appointment is mandatory, whether the DPO has guaranteed independence (no instructions, no conflict of interest), whether the DPO has access to senior management, adequate resources, and time, whether the DPO is registered with UODO, and whether the DPO’s contact details are published and accessible.

10. International Data Transfers

The auditor verifies: whether the organisation has identified all data transfers outside the EEA, whether an appropriate transfer mechanism is in place (adequacy decision, SCCs, BCRs), whether a Transfer Impact Assessment (TIA) has been conducted, and whether privacy notices inform about transfers.

11. Data Retention

The auditor checks: whether a retention period is defined for each process, whether data is actually deleted after the retention period expires (not just in the ROPA, but in IT systems), and whether a data review and deletion procedure exists.

12. Training

The auditor verifies: whether employees have received data protection training, when the last training took place, whether training is documented, and whether it includes practical scenarios (not just GDPR theory).

13. Website

The auditor checks: the privacy policy, the cookie banner and consent mechanism, privacy notices on forms, transmission security (SSL/TLS), and terms and conditions (if applicable).

Stages of a GDPR Audit

Stage 1: Planning (1–2 days)

Defining the audit scope (full vs. selected area), preparing the audit questionnaire, identifying interviewees (DPO, IT, HR, marketing, management, administration), and setting the schedule.

Stage 2: Information Gathering (3–10 days)

Reviewing documentation (ROPA, policies, procedures, agreements, notices), conducting interviews with key staff, reviewing IT systems and security measures, analysing the website, and reviewing incidents and data subject requests.

Stage 3: Gap Analysis (2–5 days)

Comparing the actual state with GDPR requirements, identifying non-conformities and gaps, assessing the risk of each gap (low, medium, high, critical), and prioritising recommendations.

Stage 4: Audit Report (2–3 days)

Preparing a report containing: a summary of the audit scope and methodology, a description of identified non-conformities with references to GDPR articles, a risk assessment for each gap, specific remedial recommendations with priorities and deadlines, and an overall assessment of the organisation’s compliance level.

Stage 5: Remedial Actions (ongoing)

Implementing recommendations according to priorities, monitoring progress, and re-verification after implementation (follow-up).

Most Common Gaps Found During Audits

Based on audit practice, the most frequently identified gaps are:

Outdated ROPA — the record does not reflect actual processes. Most commonly: processes added after 2018 (new systems, services, tools) are missing.

No retention periods — the organisation does not know how long it retains data and has no deletion procedure.

Incomplete privacy notices — missing information about the retention period, DPO, data subject rights, or transfers.

Missing DPAs with some processors — particularly with smaller, local providers.

No data subject request procedure — the organisation does not know how to respond to an access request.

Insufficient training — employees do not know what a data breach is or how to report one.

Missing DPIAs — the organisation deployed monitoring, profiling, or AI without conducting an impact assessment.

Cookies without consent — the cookie banner appears, but analytics scripts load before consent is given.

No TIA for US transfers — the organisation uses US-based providers without conducting a Transfer Impact Assessment.

Token GDPR implementation — documentation exists, but no one knows it, follows it, or updates it.

Audit vs UODO Inspection — The Difference

It is important to distinguish between an internal/external audit and a UODO inspection:

Audit — conducted voluntarily, at the organisation’s initiative. The goal is to identify gaps and fix them. Results are confidential — they do not go to UODO.

UODO inspection — conducted at the supervisory authority’s initiative (planned or triggered by a complaint/incident). The goal is to verify compliance and potentially impose sanctions. Results may lead to fines.

A regular audit is the best protection against the negative consequences of a UODO inspection — it allows you to identify and fix gaps before the supervisory authority does.

How Much Does a GDPR Audit Cost?

The cost of an audit depends on the size of the organisation, the scope of processing, and the number of processes and systems. Approximate ranges:

Micro-business (1–9 employees) — a targeted audit focused on key areas: a few thousand PLN.

Small company (10–50 employees) — a comprehensive audit: several to a dozen thousand PLN.

Medium company (50–250 employees) — a full audit with IT systems review: tens of thousands PLN.

Large organisation (250+ employees) — a multi-stage audit, often involving a specialist team: several tens of thousands PLN and up.

For comparison — the lowest UODO fine was approximately PLN 900, but the highest reached PLN 27 million. The cost of an audit is always a fraction of the potential fine.

Checklist — GDPR Audit

1. Verify that the ROPA is current — does it reflect all processing activities?
2. Check legal bases — does each process have a correctly selected basis?
3. Review privacy notices — are they complete and current?
4. Test the data subject request procedure — does it work in practice?
5. Verify DPAs — do you have one with every processor?
6. Assess security measures — encryption, access control, backups.
7. Check the breach procedure — do employees know how to respond?
8. Verify DPIAs — have they been conducted where required?
9. Check the DPO’s position — independence, resources, access to management.
10. Identify transfers outside the EEA — do you have a TIA and SCCs?
11. Check data retention — is data actually being deleted?
12. Verify training — when was the last session, is it documented?
13. Check the website — cookies, privacy policy, forms.
14. Prepare a report with recommendations — priorities and deadlines.
15. Schedule follow-up — verification after implementing recommendations.

Need a GDPR Audit?

A GDPR compliance audit is an investment that pays for itself — it detects gaps before UODO does, protects against fines, and builds trust with clients and business partners. At the Law Office of Dr Joanna Maniszewska-Ejsmont, we conduct comprehensive GDPR audits tailored to the size and specifics of the organisation — from micro-businesses to medium-sized enterprises. We combine legal expertise with practical experience, delivering concrete recommendations with priorities and implementation deadlines.