This article covers 8 points on what a GDPR audit should include:
- What a GDPR audit is and when you need one
- Record of processing activities
- Legal bases and legitimisation
- Information and transparency, processors and transfers
- Data subject rights, security and breaches
- DPIAs, training and who should run the audit
- Benefits and common mistakes
- How PrivaLex can help and next steps
If your organisation processes personal data in the EU as controller or processor, it is subject to the GDPR. Compliance is not just having a privacy policy: you must demonstrate that you protect data effectively. That is where knowing what a GDPR audit should include comes in: a systematic review that identifies risks, corrects failures and improves privacy management.
This guide sets out the elements a GDPR audit should include, when to run one, who can run it and how to use it to grow with confidence. At PrivaLex Partners we support startups and digital companies with compliance audits tailored to their business model.
What is a GDPR audit and when do you need one?
A GDPR audit is a structured assessment of your organisation’s level of compliance with GDPR obligations. It is not legally mandatory, but it is highly advisable when there are changes in your business model, international expansion, processing of sensitive or high-risk data, or when you want a periodic review (e.g. annual) to demonstrate proactive compliance.
Complying with the GDPR is not enough: you must be able to prove it. An audit is one of the best tools to do that and to prepare for clients, investors or authorities.
What a GDPR audit should include: record and legal bases
Record of processing activities
A GDPR audit should check that you have a complete and up-to-date record of all personal data processing. It should include the legal basis, purposes, retention periods and recipients of the data. Without this record, you cannot demonstrate compliance or make informed decisions about risk.
Legitimisation and legal bases
The audit should verify that you correctly apply consent, contract, legitimate interest or legal obligation to each processing operation and that you can demonstrate this with documentation. A wrong or undocumented legal basis invalidates the processing and exposes the organisation to sanctions.
Information, transparency, processors and transfers
Information and transparency
The audit should verify that your privacy policy is clear and accessible and that you provide adequate information in forms, emails and apps as required by the GDPR. Generic, incomplete or inaccurate policies are a risk.
Relations with processors
You must have adequate contracts with providers that process data on your behalf, with the necessary guarantees and all mandatory Article 28 GDPR clauses. If you use CRM, email marketing or analytics without reviewing contracts, the audit will flag it.
International transfers
If you transfer data outside the EEA, the audit should check that you use standard contractual clauses, BCRs or other valid safeguards post-Schrems II. Relying on the provider alone is not enough; you must document additional measures when the country does not offer an adequate level.
Data subject rights, security and breaches
Handling data subject rights
A GDPR audit should review that you have procedures to handle requests for access, rectification, erasure, objection and portability, that you respond in time (generally one month) and that you keep records of these requests. Delays or lack of traceability are common compliance failures.
Security and technical and organisational measures (TOMs)
The audit should check whether you have assessed risks and have proportionate measures in place and documented: encryption, access controls, backups, etc. Measures must be reviewed periodically. An information security management system (ISMS) or standards such as obtain ISO 27001 certification can align security and privacy.
Security breaches
The audit should verify that you have a breach response procedure: when to notify the supervisory authority and data subjects (generally 72 hours from when you become aware) and whether you run drills or training. Improvising in a real incident increases regulatory and reputational risk.
DPIAs, training and who should run the audit
Risk assessments, DPIAs and impact reviews
The audit should check whether you assess impact before starting new high-risk processing (data protection impact assessments), use consistent methodologies and mitigate identified risks. DPIAs are mandatory in certain cases and show a preventive approach.
Training and awareness
The audit should verify whether you train your team on data protection and whether you can evidence the training provided and its frequency. Cybersecurity and privacy require aware staff; many breaches stem from human error. Best practices for implementing the GDPR include ongoing, documented training.
Who should run the audit?
The audit can be internal or external depending on resources and maturity. An external auditor or external DPO brings objectivity, up-to-date knowledge and credibility with clients or authorities. In growing companies it is common to use consultants or external DPO services so as not to overload the technical or legal team.
Benefits of a well-run GDPR audit
A well-run audit reduces the risk of sanctions and breaches, builds trust with clients, investors and partners, improves internal processes around data and aligns privacy with business strategy. Privacy is not a brake on business: a GDPR audit helps you grow with confidence.
Mistakes that can undermine a GDPR audit
Not keeping the record of processing activities up to date. Without a complete, traceable record, you cannot demonstrate compliance. It is one of the first documents auditors and authorities will ask for.
Engaging processors without an Article 28 contract. If your providers process data on your behalf without an adequate contract, liability and risk fall on you. The audit will pick this up.
Having no breach procedure. If you do not know when or how to notify the supervisory authority and data subjects, a real incident can turn into a sanction. Define roles, deadlines and templates in advance.
Documentation that does not match reality. Policies or procedures that nobody follows or that do not match what the team actually does create distrust and non-conformities. The audit will compare what is written with practice.
Not documenting training. The GDPR requires training and awareness. Without attendance records, content and frequency, you cannot evidence compliance.
How PrivaLex can help with a GDPR audit
At PrivaLex Partners we help startups and digital companies audit their compliance in a clear, fast way tailored to their business model. We do not sell software: we provide expertise, experience and direct support so you know what a GDPR audit should include in your case and how to close the gaps found.
Whether as a step before certification or as part of your ongoing accountability, we can help you strengthen your position with clients, partners and authorities. With experience in EU regulatory compliance and privacy and security projects, we guide you from diagnosis to improvement plan.
Schedule a strategic session with PrivaLex and find out how to prepare a GDPR audit that demonstrates your compliance.
Frequently Asked Questions (FAQs)
What should a GDPR audit include in full?
A full GDPR audit should include: an up-to-date record of processing activities; review of legal bases and legitimisation; information and transparency; processor contracts (Art. 28); international transfers and safeguards; data subject rights procedures; technical and organisational security measures; security breach procedure; DPIAs where applicable; and documented training and awareness.
Is a GDPR audit mandatory?
No. The GDPR does not legally require an internal or external audit. It is still highly recommended to demonstrate proactive compliance, before due diligence, on international expansion or when processing sensitive or high-risk data.
How often should you run a GDPR audit?
There is no fixed interval. A periodic review (e.g. annual) is advisable, and whenever there are material changes: new product, new data, new countries or after an incident. Frequency depends on risk and organisation size.
Who can run a GDPR audit?
It can be run by an internal team (with sufficient independence) or by an external consultant or DPO. An external auditor brings objectivity and credibility with clients and authorities; in startups and scale-ups it is common to outsource this function.
What if the GDPR audit finds non-compliance?
The aim is to identify gaps and fix them before an authority or client finds them. An audit report with priorities and deadlines lets you build an action plan and demonstrate continuous improvement in inspections or due diligence.
What should a GDPR audit include for startups?
The same as for any controller or processor: record, legal bases, transparency, processors, transfers, rights, security, breaches, DPIAs and training. Scope and depth can be adapted to size and risk; what matters is that it is consistent and documented.
Next step
Knowing what a GDPR audit should include is the first step; the next is choosing the right time and team to run it. Schedule a strategic session with PrivaLex and turn compliance into a competitive advantage.
