GDPR and Audit Requirements

Understanding GDPR and the requirements for an audit


The General Data Protection Regulation (GDPR) is a principles-based regulation, so the way it is applied varies from company to company. We look at the requirements as two parts;

  1. The technical and organisational measures that secures the data (security); and
  2. The privacy principles that protect the EU citizens rights (privacy).

GDPR audits are typically combined with SOC 2 audits that include the Security criteria so both requirements are covered. 

Understanding what the GDPR principles mean and how to demonstrate compliance with them can be confusion. Your audit with AssuranceLab focuses on GDPR Article 5. This guide is here to explain how to approach your audit and what evidence you should consider.

Concepts and Terms to Know

When does GDPR apply?

  • The entity processes personal data and is based in the EU, regardless of where the actual data processing takes place.
  • The entity was established outside the EU but processes personal data in relation to the offering of goods or services to individuals in the EU, or monitors the behaviour of individuals within the EU.

The data controller, data processor and data subject

A data controller is an organisation that (alone or jointly with others) determines the purposes for and the means by which personal data is processed. A data drocessor is an organisation that processes data on behalf of a data controller. The data subject is the individual about whom personal data is collected and processed.

What's considered personal data?

Personal data is any information about an identified or identifiable person (the data subject). This can include:

  • name
  • address
  • ID card/passport number
  • cultural profile
  • Internet Protocol (IP) address
  • data held by a hospital or doctor (which uniquely identifies a person for health purposes)

Privacy policy and privacy notice

You may find these terms used interchangeably - which is generally acceptable as long as the relevant information has been clearly documented, regardless of what you call the document.

Typically, a privacy policy is an internal document that outlines for your your employees how to protect customer data. A privacy notice is normally an external document that informs data subjects how their data is collected or used and their privacy rights.

Topics to consider for your privacy documents

  • purpose, extent and use of personal data
  • methods and limitation of collection and processing data
  • requirements for maintaining data accuracy and for data storage requirements for consent
  • the choices available to data subjects and their rights in relation to their personal data
  • disclosure on the use of third parties or sub-processors of the personal
  • data security practices applied to the personal data collected and processed
  • responsibilities for monitoring and enforcement of privacy requirements
  • processes or procedures for personal data related requests from data subjects or Data Controllers

Privacy requests

These are typically requests from (or on behalf of) the data subject to access, correct or update, delete, halt processing activities, opt-out, or transfer data. Details of these requests should be thoroughly documented, including: the requestor, how authentication of the requestor was done, date of the request, conclusion/action as a result of the request (e.g. request denied, personal data disposed of, or personal data updated), employee handling the request, etc.



Links for Reference

Understanding SOC 2 Privacy Requirements

(External Link) What is GDPR?

(External Link) Art. 5 GDPR Principles relating to processing of personal data