Scribd
Upload
1K views2 pages

GDPR Audit Checklist

This document provides a checklist for auditing data as required by the General Data Protection Regulation (GDPR). The checklist contains 9 questions about the data a business holds, how it was obtained and is used, who is responsible for it, how it is stored and secured, who controls it, and how long it is retained. The questions prompt considering details like what types of data, why it is needed, collection methods, storage locations, access controls, data controller vs processor roles, and deletion processes. The goal is to understand a business's full data practices and compliance with GDPR requirements.

Uploaded by

Mònica Torras
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
1K views2 pages

GDPR Audit Checklist

This document provides a checklist for auditing data as required by the General Data Protection Regulation (GDPR). The checklist contains 9 questions about the data a business holds, how it was obtained and is used, who is responsible for it, how it is stored and secured, who controls it, and how long it is retained. The questions prompt considering details like what types of data, why it is needed, collection methods, storage locations, access controls, data controller vs processor roles, and deletion processes. The goal is to understand a business's full data practices and compliance with GDPR requirements.

Uploaded by

Mònica Torras
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 2

GDPR DATA Audit Checklist

Data Audit Checklist


Question Further points to consider in Answer
answering the question

1 What data does your business Is the data:


hold? h Personal data;

h Special category data (sensitive personal data);

h Personal data belonging to under 13 year


olds?
2 Why does your business hold that Consider:
data? h What your business does with the data?
(Refer also to question 6 on this point.)

h Can you demonstrate how the data is used?


3 How did your business obtain that h Determine the methods used (including
data? online and offline) to collect the data. (These
may include online forms on your business
website, third parties or telephone marketing.)

h Did your business make its privacy policy


available when it collected the data?
4 When did your business collect Can the date of collection of the data be identified?
that data?

5 In general, who within your Consider:


business is responsible for the data h How is that person responsible for the data?
identified at 1 above?
h Do they manage the privacy policies and
any data processing agreements that your
business enters into?
6 What does your business do with Consider:
the da ta? h How your business processed the data?

h Does your business send the data to third


parties for any reason?

h Can your business readily identify the reasons


why it needs the data?

1/2
GDPR DATA Audit Checklist

Question Further points to consider in Answer


answering the question

7 How does your business store the Consider:


data and is it kept secure? h Where the data is stored.
h Whether the data is backed up and kept
off-site or processed using a cloud-based
application.

h Does your business have an agreement in


place with the storage facilities or providers
used?

h Do the storage facilities or providers have


suitable data protection policies in place?
(Have they carried out a data audit as part of
their preparation as a data processor for the
GDPR?)

h Who has access to the data both inside and


outside of your business?
8 Who controls the data (i.e. who h Consider whether your business is the data
decides the purposes for which controller or the data processor? (A data
and the way in which the data is
processed?) controller determines the purposes for
which and the way in which personal data is
processed. A data processor is anyone who
processes personal data on behalf of the data
controller).

h If you are the data controller, do you instruct


a data processor to process the data? If so,
do you have a data processing agreement in
place?

h If you are the data processor, do you have a


data processing agreement in place with your
data controllers?
9 How long does your business keep h Assess the periods of time that your business
the data and how does it delete the holds data for and consider whether there is
data when it is no longer needed? a process in place for establishing if it is still
necessary to keep data.
h Practically, how is data deleted when it is no
longer needed?

2/2

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy